SEO

Sebastian Rother wrote:

> During a report of the german news-website "Heise.de" experts
> (Christian Rechberger and Christophe De Cannihre) on the Crypto2006 (a
> conference) talked about at least one practical attack aggainst SHA-1.

It is De Cannihre. I should know because was a collegue of me for more
than 3 year

The results of their attack will only be presented today during the NIST
Second Cryptographic Hash Workshop
http://www.csrc.nist.gov/pki/HashWorkshop/program.htm

> The demonstration was made with a limited Version of SHA-1 but
> cryptographic scientist said the attack would also be practical again
> the normal version wich is widly in use.
>
> Rechberger and De Cannihre said that they exspect a even more
> practical attack against the normal SHA1 after some optimisations of
> their method.

The limited version is 64 rounds out of 80. Breaking the full version
will definately require bigger time complexity. Say a few year with a
few 1000 computers. That is more than the release cycle of OpenBSD

And the attack only allows 25% of the message to be freely selected, the
other 75% is determined by attack. In the case of ports the message is
compressed (tar.gz), so rather random. It is highly unlikely you can
find a collision of 2 almost random compressed packages. The attack
could be a bit more practical if the messages are ASCI text (on heise.de
they suggest html documents), but this is not the case.

BTW this is documented on http://www.cryptography.com/cnews/hash.html
"Q: Do these attacks allow somebody to break tools that use MD5 or SHA-1
to check for malicious binaries?
A: Not usually, as this would require a preimage attack. It would,
however, be possible for someone to construct an innocuous program and a
malicious program with the same hash. If this adversary could get the
innocuous version on the "good" list (e.g. by having a trusted authority
sign the hash value), the malicious program would also be accepted."

> The Ports-System uses MD5 and SHA1 wich are both now, at least for
> cryptographic experts, brocken and not realy trustfull anymore. So 2 of
> 3 Algorithms used by the Ports-System are in fact weak.

Finding a collision for both MD5 and SHA-1 at the same time is
completely improbable.

> Wouldn`t it be about time to think about alternatives?
> Experts said that SHA 512 may rise the border for an sucessfull attack.
>
> I would like to request the replacement of SHA-1 with SHA512 and to
> kick out MD5 out of the Ports-System.
> Using RipeMD with more bits would be usefull too (Ripe-MD is not
> limited to 160Bits).

RIPEMD-128 is not so safe either, while RIPEMD-160 should be fine for
the time being. See http://www.infosec.sdu.edu.cn/paper/...pemd-attck.pdf

> MD5 could get replaced with Whirpool wich is recommended by the
> NESSIE-Project and wich is also a ISO-Standard.
> Alternatives could be Tiger2 or HAVAL wich are also considred secure.

HAVAL is not so safe either. See http://eprint.iacr.org/2004/199.pdf

Tiger2 is a rather new version of Tiger, so it has not be analysed
thoroughly. However, the performance of Tiger sucks on non-64 bit
processors, because it has been designed for 64 bit...

> I think one of the Problems is that OpenSSL provides just a wide range
> of unsecure HASH-Functons like MD2/4/5 SHA and now also SHA1.
> The only algorithm considred as secure is the Ripe-MD (or rmd)
> algorithm.

OpenSSL contains a lot of other depreciated cryptographic algorithms,
like RC2, RC4, DES. Don't use what is not secure.

> So no matter what you`ll do (as developers of OpenBSD) the question
> came up one more time and I think some peoples should start looking for
> alternative HASH-Algorithms used in the Ports.
>
>
> Links for Nessie:
> http://www.cryptonessie.org/

The NESSIE project stopped more than 3 years ago and this was before the
Wang et al. attacks were published. So the results are no longer up to
date. It is better to use the suggestions from the ECRYPT project. See
http://www.ecrypt.eu.org/documents/S...H_STMT-1.1.pdf


Cheers,

Dries