<<< Date Index >>>     <<< Thread Index >>>

Re: SHA-1 broken



I agree that an anaylsis of their results is nice and important, but
also I don't think that it will neccessarily lead to a new "perfect"
hashing function we can implement and forget about.

A nicer idea is to implement better code that allows us to modify our
internal hashing algorithms whenever we like, so that if (and when?)
new hashing strategies are broken (even by virtue of faster computing
power) we can adapt easily.

At least, this is the approach I'll be taking to the problem.

-- Michael


On Sat, 19 Feb 2005 00:42:56 -0500, Anatole Shaw
<shaw_bugtraq20050218@xxxxxxxxxxxx> wrote:
> Sadly, there is no magic bullet for the SHA-1 problem.  Let me say, in
> classic Bugtraq style, that I believe the "temporary workaround for this
> vulnerability" is to move to SHA-512 as quickly as possible.
> 
> NIST was going to recommend SHA-256 and SHA-512 by 2010, but for the
> security-conscious the time is now.
> 
> The "computer security response" should not be to re-jigger the hashes,
> bet on crypto tricks that haven't seen any review, and guess at the
> computational complexity of the result.
> 
> The only fix will be informed analysis of the new paper from the Chinese
> team (which hasn't even been released yet) and the informed development
> of a solid cryptographic response.
> 
> Anatole