[vox] Fwd: [vox-tech] Fwd: Re: [suse-security] SHA-1 broken -
impact on SuSE linux versions
wild bill
hammer29 at sbcglobal.net
Wed Feb 16 20:53:40 PST 2005
---------- Forwarded Message ----------
Subject: [vox-tech] Fwd: Re: [suse-security] SHA-1 broken -
impact on SuSE linux versions
Date: Wednesday 16 February 2005 07:48 pm
From: wild bill <hammer29 at sbcglobal.net>
To: vox-tech at lists.lugod.org
From the discussion on suse-security list regarding SHA-1
broken
---------- Forwarded Message ----------
Subject: Re: [suse-security] SHA-1 broken - impact on SuSE
linux versions
Date: Wednesday 16 February 2005 07:01 am
From: Dana Hudes <dhudes at tcp-ip.info>
To: Polarizer <Polarizer at codixx.com>
Cc: suse-security at suse.com
Ok I now have read Bruce's blog on the subject.
The paper in question is from a group of Chinese
researchers and as yet is unpublished; they have, as is
customary, been circulating drafts and/or preprints
privately. The group in question is reportedly an
established and respected cryptanalyst team.
What is reported is that there is a collision attack.
The one-line summary is alarmist.
It is a very, very difficult attack requiring 2**69
operations. The claim of "broken" is because a brute-force
attack on SHA-1 requires 2**80 operations.
Its a question of what are you protecting?
Nuclear weapon launch codes never used SHA-1 to begin with,
they use at least AES-256 and the codes are changed
regularly. Same for other such information. I don't
believe anyone encrypts sensitive compartmentalized
information with SHA-1 in the first place.
On our practical level, SHA-1 is fine for digital signature
of SuSE RPM for at least another couple of years.
I would say it is also still acceptable for credit card
information for another year since credit cards expire
within 3 years.
On Wed, 16 Feb 2005, Polarizer wrote:
> >>What impact does is have for our SuSE linux
> >> installations. Where is it used by default in standard
> >> packages and where by default in packages to install
> >> additionally via Yast.
> >
> > We are not that mathematically inclined to evaluate
> > that without looking at the paper...
> >
> > We are eagerly awaiting Bruces and other crypto experts
> > evaluations.
> >
> > Ciao, Marcus
>
> Sorry Marcus, this was not what i asked for at all. I
> wouldn't like to discuss the mathematical aspects, but
> the consequences of the statement
>
> <quote>SHA-1 has been broken. Not a reduced-round
> version. Not a simplified version. The real thing</quote>
> [1].
>
> Broken is broken, isn't it?
>
> SHA-1 is used by several of the software packages
> provided with suse linuxes. Any sentences on this very
> issue from suse or any other here on the list.
>
> The polarizer
>
> polarizers at its best
> http://www.glass-polarizers.com
>
> [1] http://www.schneier.com/blog/
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail:
> suse-security-help at suse.com Security-related bug reports
> go to security at suse.de, not here
--
Check the headers for your unsubscription address
For additional commands, e-mail:
suse-security-help at suse.com Security-related bug reports
go to security at suse.de, not here
-------------------------------------------------------
_______________________________________________
vox-tech mailing list
vox-tech at lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
-------------------------------------------------------
More information about the vox
mailing list