Mailinglist Archive: opensuse-security (256 mails)
| < Previous | Next > |
Re: [suse-security] SHA-1 broken - impact on SuSE linux versions
- From: Dana Hudes <dhudes@xxxxxxxxxxx>
- Date: Wed, 16 Feb 2005 10:01:35 -0500 (EST)
- Message-id: <Pine.LNX.4.58.0502160953580.22530@xxxxxxxxxxxxxxxxxxxx>
Ok I now have read Bruce's blog on the subject.
The paper in question is from a group of Chinese researchers and as yet is
unpublished; they have, as is customary, been circulating drafts
and/or preprints privately. The group in question is reportedly an
established and respected cryptanalyst team.
What is reported is that there is a collision attack.
The one-line summary is alarmist.
It is a very, very difficult attack requiring 2**69 operations.
The claim of "broken" is because a brute-force attack on SHA-1 requires
2**80 operations.
Its a question of what are you protecting?
Nuclear weapon launch codes never used SHA-1 to begin with, they use at
least AES-256 and the codes are changed regularly.
Same for other such information. I don't believe anyone encrypts sensitive
compartmentalized information with SHA-1 in the first place.
On our practical level, SHA-1 is fine for digital signature of SuSE RPM
for at least another couple of years.
I would say it is also still acceptable for credit card information for
another year since credit cards expire within 3 years.
On Wed, 16 Feb 2005, Polarizer wrote:
> >>What impact does is have for our SuSE linux installations. Where is
> >>it used by default in standard packages and where by default in
> >>packages to install additionally via Yast.
> >
> > We are not that mathematically inclined to evaluate that without looking
> > at the paper...
> >
> > We are eagerly awaiting Bruces and other crypto experts evaluations.
> >
> > Ciao, Marcus
>
> Sorry Marcus, this was not what i asked for at all. I wouldn't like to
> discuss the mathematical aspects, but the consequences of the statement
>
> <quote>SHA-1 has been broken. Not a reduced-round version. Not a
> simplified version. The real thing</quote> [1].
>
> Broken is broken, isn't it?
>
> SHA-1 is used by several of the software packages provided with suse
> linuxes. Any sentences on this very issue from suse or any other here
> on the list.
>
> The polarizer
>
> polarizers at its best
> http://www.glass-polarizers.com
>
> [1] http://www.schneier.com/blog/
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
The paper in question is from a group of Chinese researchers and as yet is
unpublished; they have, as is customary, been circulating drafts
and/or preprints privately. The group in question is reportedly an
established and respected cryptanalyst team.
What is reported is that there is a collision attack.
The one-line summary is alarmist.
It is a very, very difficult attack requiring 2**69 operations.
The claim of "broken" is because a brute-force attack on SHA-1 requires
2**80 operations.
Its a question of what are you protecting?
Nuclear weapon launch codes never used SHA-1 to begin with, they use at
least AES-256 and the codes are changed regularly.
Same for other such information. I don't believe anyone encrypts sensitive
compartmentalized information with SHA-1 in the first place.
On our practical level, SHA-1 is fine for digital signature of SuSE RPM
for at least another couple of years.
I would say it is also still acceptable for credit card information for
another year since credit cards expire within 3 years.
On Wed, 16 Feb 2005, Polarizer wrote:
> >>What impact does is have for our SuSE linux installations. Where is
> >>it used by default in standard packages and where by default in
> >>packages to install additionally via Yast.
> >
> > We are not that mathematically inclined to evaluate that without looking
> > at the paper...
> >
> > We are eagerly awaiting Bruces and other crypto experts evaluations.
> >
> > Ciao, Marcus
>
> Sorry Marcus, this was not what i asked for at all. I wouldn't like to
> discuss the mathematical aspects, but the consequences of the statement
>
> <quote>SHA-1 has been broken. Not a reduced-round version. Not a
> simplified version. The real thing</quote> [1].
>
> Broken is broken, isn't it?
>
> SHA-1 is used by several of the software packages provided with suse
> linuxes. Any sentences on this very issue from suse or any other here
> on the list.
>
> The polarizer
>
> polarizers at its best
> http://www.glass-polarizers.com
>
> [1] http://www.schneier.com/blog/
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
| < Previous | Next > |