Friday, May 08, 2009
SHA1 collisions now at 2^52
From the presentation of Cameron McDonald, Philip Hawkes and Josef Pieprzyk from Macquarie University and Qualcomm, Australia:
Practical collisions are within resources of a well funded organisation.
OpenPGP prepares a migration off of SHA1, stating:
Start making data signatures and web-of-trust certifications using stronger digests
NIST comments:
Federal agencies must stop relying on digital signatures that are generated using SHA-1 by the end of 2010.
A while ago I had this discussion at FedICT with some OS vendor concerning RSA 1024. I was surprised and some confused that they were all discussing the cryptographic strength of RSA, while SHA1 seems to be a sitting duck. I'm not a crypto analyst myself. I'm merely scratching the surface now with some GNY logic proofs on tunneled authentication protocols and signature schemes (which is quite fun actually), but IMHO attacks on hash algorithms are more likely than anything else if you look at the attention this receives within the academic world.
To what extend are PKI infrastructures and client platforms ready to move to other hash algorithms like SHA2 or RIPEMD? How about the impact on the eID PKI? SHA1 is being used all over the place. Do we need SHA2 versions of all CA certificates? What would it bring us?
Definitely an area of interest that should be given some attention.
Anyhow the eID Applet comes with a challenge freshness verification on the authentication signature (using SHA1, but this is not really relevant as collisions are not important here) and the digital signature operations support SHA1-RSA-PKCS1, SHA224-RSA-PKCS1, SHA256-RSA-PKCS1, SHA384-RSA-PKCS1, SHA512-RSA-PKCS1, RIPEMD128-RSA-PKCS1, RIPEMD160-RSA-PKCS1, and RIPEMD256-RSA-PKCS1. ;)
Practical collisions are within resources of a well funded organisation.
OpenPGP prepares a migration off of SHA1, stating:
Start making data signatures and web-of-trust certifications using stronger digests
NIST comments:
Federal agencies must stop relying on digital signatures that are generated using SHA-1 by the end of 2010.
A while ago I had this discussion at FedICT with some OS vendor concerning RSA 1024. I was surprised and some confused that they were all discussing the cryptographic strength of RSA, while SHA1 seems to be a sitting duck. I'm not a crypto analyst myself. I'm merely scratching the surface now with some GNY logic proofs on tunneled authentication protocols and signature schemes (which is quite fun actually), but IMHO attacks on hash algorithms are more likely than anything else if you look at the attention this receives within the academic world.
To what extend are PKI infrastructures and client platforms ready to move to other hash algorithms like SHA2 or RIPEMD? How about the impact on the eID PKI? SHA1 is being used all over the place. Do we need SHA2 versions of all CA certificates? What would it bring us?
Definitely an area of interest that should be given some attention.
Anyhow the eID Applet comes with a challenge freshness verification on the authentication signature (using SHA1, but this is not really relevant as collisions are not important here) and the digital signature operations support SHA1-RSA-PKCS1, SHA224-RSA-PKCS1, SHA256-RSA-PKCS1, SHA384-RSA-PKCS1, SHA512-RSA-PKCS1, RIPEMD128-RSA-PKCS1, RIPEMD160-RSA-PKCS1, and RIPEMD256-RSA-PKCS1. ;)