Ok I now have read Bruce's blog on the subject. The paper in question is from a group of Chinese researchers and as yet is unpublished; they have, as is customary, been circulating drafts and/or preprints privately. The group in question is reportedly an established and respected cryptanalyst team. What is reported is that there is a collision attack. The one-line summary is alarmist. It is a very, very difficult attack requiring 2**69 operations. The claim of "broken" is because a brute-force attack on SHA-1 requires 2**80 operations. Its a question of what are you protecting? Nuclear weapon launch codes never used SHA-1 to begin with, they use at least AES-256 and the codes are changed regularly. Same for other such information. I don't believe anyone encrypts sensitive compartmentalized information with SHA-1 in the first place. On our practical level, SHA-1 is fine for digital signature of SuSE RPM for at least another couple of years. I would say it is also still acceptable for credit card information for another year since credit cards expire within 3 years. On Wed, 16 Feb 2005, Polarizer wrote:
What impact does is have for our SuSE linux installations. Where is it used by default in standard packages and where by default in packages to install additionally via Yast.
We are not that mathematically inclined to evaluate that without looking at the paper...
We are eagerly awaiting Bruces and other crypto experts evaluations.
Ciao, Marcus
Sorry Marcus, this was not what i asked for at all. I wouldn't like to discuss the mathematical aspects, but the consequences of the statement
<quote>SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing</quote> [1].
Broken is broken, isn't it?
SHA-1 is used by several of the software packages provided with suse linuxes. Any sentences on this very issue from suse or any other here on the list.
The polarizer
polarizers at its best http://www.glass-polarizers.com
[1] http://www.schneier.com/blog/
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here