SEO

On Thu, Aug 24, 2006 at 07:57:07PM +0200, Sebastian Rother wrote:
> During a report of the german news-website "Heise.de" experts
> (Christian Rechberger and Christophe De Cannihre) on the Crypto2006 (a
> conference) talked about at least one practical attack aggainst SHA-1.
>
> The demonstration was made with a limited Version of SHA-1 but
> cryptographic scientist said the attack would also be practical again
> the normal version wich is widly in use.
>
> Rechberger and De Cannihre said that they exspect a even more practical
> attack against the normal SHA1 after some optimisations of their method.
>
> The Ports-System uses MD5 and SHA1 wich are both now, at least for
> cryptographic experts, brocken and not realy trustfull anymore.

Mmm... you didn't search the archives, did you?

> So 2 of
> 3 Algorithms used by the Ports-System are in fact weak.
> Wouldn`t it be about time to think about alternatives?
> Experts said that SHA 512 may rise the border for an sucessfull attack.
>
> I would like to request the replacement of SHA-1 with SHA512 and to
> kick out MD5 out of the Ports-System.
> Using RipeMD with more bits would be usefull too (Ripe-MD is not
> limited to 160Bits).
>
> MD5 could get replaced with Whirpool wich is recommended by the
> NESSIE-Project and wich is also a ISO-Standard.
> Alternatives could be Tiger2 or HAVAL wich are also considred secure.
>
> I think one of the Problems is that OpenSSL provides just a wide range
> of unsecure HASH-Functons like MD2/4/5 SHA and now also SHA1.
> The only algorithm considred as secure is the Ripe-MD (or rmd)
> algorithm.
>
> So no matter what you`ll do (as developers of OpenBSD) the question
> came up one more time and I think some peoples should start looking for
> alternative HASH-Algorithms used in the Ports.

The current spade of attacks against MD5 and SHA1 are interesting and
cause for concern; however, they are birthday attacks - the attacker can
produce two (to a certain extent, arbitrarily chosen by the attacker)
plaintexts which produce the same hash.

However, in the ports system, an attacker would have to create a
collision with a known plaintext (in other words, find a file that has
the same hash as a known file). This is an entirely different, and much
more difficult attack. And that completely ignores the fact that what
you discover must be at least a proper gzip file, containing a proper
tar archive, and probably should contain a mostly-functional version of
the program.

This is not currently feasible, and if it ever does become a problem,
verifying all three signatures (SHA1, RIPEMD160, MD5) would very likely
make the attack completely infeasible with only a minor change to the
system. (According to my reading of bsd.port.mk(5), only SHA1 is
currently checked [by default, see the man page for the gory details as
always]; as seen above, this makes sense.)

However, using MD5 or SHA1 for a GnuPG signature is not necessarily a
good idea; many people have switched to RIPEMD160, which does not seem
to be vulnerable at this time and has very good interoperability with
other PGP-ish programs.

Joachim