Friday, May 08, 2009

 

SHA1 collisions now at 2^52

From the presentation of Cameron McDonald, Philip Hawkes and Josef Pieprzyk from Macquarie University and Qualcomm, Australia:

Practical collisions are within resources of a well funded organisation.

OpenPGP prepares a migration off of SHA1, stating:

Start making data signatures and web-of-trust certifications using stronger digests

NIST comments:

Federal agencies must stop relying on digital signatures that are generated using SHA-1 by the end of 2010.

A while ago I had this discussion at FedICT with some OS vendor concerning RSA 1024. I was surprised and some confused that they were all discussing the cryptographic strength of RSA, while SHA1 seems to be a sitting duck. I'm not a crypto analyst myself. I'm merely scratching the surface now with some GNY logic proofs on tunneled authentication protocols and signature schemes (which is quite fun actually), but IMHO attacks on hash algorithms are more likely than anything else if you look at the attention this receives within the academic world.

To what extend are PKI infrastructures and client platforms ready to move to other hash algorithms like SHA2 or RIPEMD? How about the impact on the eID PKI? SHA1 is being used all over the place. Do we need SHA2 versions of all CA certificates? What would it bring us?

Definitely an area of interest that should be given some attention.

Anyhow the eID Applet comes with a challenge freshness verification on the authentication signature (using SHA1, but this is not really relevant as collisions are not important here) and the digital signature operations support SHA1-RSA-PKCS1, SHA224-RSA-PKCS1, SHA256-RSA-PKCS1, SHA384-RSA-PKCS1, SHA512-RSA-PKCS1, RIPEMD128-RSA-PKCS1, RIPEMD160-RSA-PKCS1, and RIPEMD256-RSA-PKCS1. ;)

Comments:
Hello, could you contact me at http://sourceforge.net/users/kaidokert/ ? Tried to find your contact/email on code.google.com/eid-mw but no luck.

Just wanted to discuss a couple of smartcard development related things.
 
Good information mate. Java developers should refer this blog for such an useful contents.
 
Articles are created to express different body of knowledge. That is why I admire writers who are passionate of doing such incredible job. I salute you guys. By the way, I like you post for it is specifically talk about current issues and technicalities in life. I look forward for your subsequent post.I look forward for your next article.Thanks Marks Liferay Blog
 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?