[vox-tech] Fwd: Re: [suse-security] SHA-1 broken - impact on SuSE linux versions

wild bill hammer29 at sbcglobal.net
Wed Feb 16 19:48:34 PST 2005


From the discussion on suse-security list regarding SHA-1 
broken

----------  Forwarded Message  ----------

Subject: Re: [suse-security] SHA-1 broken - impact on SuSE 
linux versions
Date: Wednesday 16 February 2005 07:01 am
From: Dana Hudes <dhudes at tcp-ip.info>
To: Polarizer <Polarizer at codixx.com>
Cc: suse-security at suse.com

Ok I now have read Bruce's blog on the subject.
The paper in question is from a group of Chinese
 researchers and as yet is unpublished; they have, as is
 customary, been circulating drafts and/or preprints
 privately. The group in question is reportedly an
 established and respected cryptanalyst team.

What is reported is that there is a collision attack.
The one-line summary is alarmist.
It is a very, very difficult attack requiring 2**69
 operations. The claim of "broken" is because a brute-force
 attack on SHA-1 requires 2**80 operations.

Its a question of what are you protecting?
Nuclear weapon launch codes never used SHA-1 to begin with,
 they use at least AES-256 and the codes are changed
 regularly. Same for other such information. I don't
 believe anyone encrypts sensitive compartmentalized
 information with SHA-1 in the first place.

On our practical level, SHA-1 is fine for digital signature
 of SuSE RPM for at least another couple of years.
I would say it is also still acceptable for credit card
 information for another year since credit cards expire
 within 3 years.

 On Wed, 16 Feb 2005, Polarizer wrote:
> >>What impact does is have for our SuSE linux
> >> installations. Where is it used by default in standard
> >> packages and where by default in packages to install
> >> additionally via Yast.
> >
> > We are not that mathematically inclined to evaluate
> > that without looking at the paper...
> >
> > We are eagerly awaiting Bruces and other crypto experts
> > evaluations.
> >
> > Ciao, Marcus
>
> Sorry Marcus, this was not what i asked for at all. I
> wouldn't like to discuss the mathematical aspects, but
> the consequences of the statement
>
> <quote>SHA-1 has been broken. Not a reduced-round
> version. Not a simplified version. The real thing</quote>
> [1].
>
> Broken is broken, isn't it?
>
> SHA-1 is used by several of the software packages
> provided with suse linuxes. Any sentences on this very
> issue from suse or any other here on the list.
>
> The polarizer
>
> polarizers at its best
> http://www.glass-polarizers.com
>
> [1] http://www.schneier.com/blog/
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail:
> suse-security-help at suse.com Security-related bug reports
> go to security at suse.de, not here

--
Check the headers for your unsubscription address
For additional commands, e-mail:
 suse-security-help at suse.com Security-related bug reports
 go to security at suse.de, not here

-------------------------------------------------------


More information about the vox-tech mailing list