Re: SHA-1 broken

To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: SHA-1 broken
From: Dan Harkless <bugtraq@xxxxxxxxxxxx>
Date: Thu, 17 Feb 2005 18:22:31 -0800
In-reply-to: Your message of "Thu, 17 Feb 2005 12:02:02 +1100." <b271040a050216170244e5d142@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

On February 17, 2005, Michael Cordover <michael.cordover@xxxxxxxxx> wrote:
> On Wed, 16 Feb 2005 14:56:27 +0200, Gadi Evron <gadi@xxxxxxxxxxxxx> wrote:
> > 
> > Where do we go from here?
> 
> The standard response to "where to now" seems to be Whirlpool
> [http://planeta.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html].
>  That or Tiger [http://www.cs.technion.ac.il/~biham/Reports/Tiger/].

There has indeed been a lot of positive buzz about Whirlpool.  I have seen
comments, though, that Whirlpool is quite slow, but that Tiger is pretty
reasonable on 64-bit CPUs.

No doubt we'll see more analyses of these as the old standbys start to look
more and more shaky.

> The team which has cracked SHA1 is the same that cracked MD5 and
> exposed weaknesses in the RIPEMD model.  They're good.  And they've
> shown that what I would've thought to be the Next Best Thing - RIPEMD

Yeah, for instance RIPEMD-160 is the only other message digest algorithm
currently implemented in the OpenSSL library that would be worth using
(other than perhaps MDC2, which I haven't seen much discussion of -- it's
apparently a method of constructing a 128-bit output hash function out of a
block cipher -- the OpenSSL implementation uses DES).

> - is yet another flawed system.

The original RIPEMD is indeed flawed, as shown by Hans Dobbertin in '95 for
a reduced-round version and by the Chinese team for the full-round version.
However, I have not seen analysis saying that this weakness also applies to
RIPEMD-128 / RIPEMD-160 / RIPEMD-256 / RIPEMD-320
(<http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html>), the
strengthened versions which were co-developed by Dobbertin in '96, partially
in response to the weakness that he found.

Pages like The Hashing Function Lounge
(<http://planeta.terra.com.br/informatica/paulobarreto/hflounge.html>) agree
with this separation of RIPEMD vs. the RIPEMD-160 family.

-- 
Dan Harkless
http://harkless.org/dan/

References:
- Re: SHA-1 broken
  - From: Michael Cordover

Prev by Date: MDKSA-2005:044 - Updated tetex packages fix vulnerabilities on 64 bit platforms
Next by Date: Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
Previous by thread: Re: SHA-1 broken
Next by thread: Re: SHA-1 broken
Index(es):
- Date
- Thread