In linux.debian.devel, you wrote:
> Worse, the existance of a practical md5(A+B+C)=3Dmd5(A+D+C) attack means
> that it's not out of the question that there're md5(A+B)=3Dmd5(C+D)
> attacks in the hands of particularly well resourced groups (which is
> worse, since the version uploaded to the archive could then be entirely
> innocent looking). Personally, I don't have any interest in making the
> NSA's job any easier, or that of other signals intelligence groups.
While this is arguably true (the NSA claims to have developed asymmetric
cryptography ten years ahead of Diffie/Hellman), it seems that nowadays
the end of the cold war and improved corporate interest have shifted
things, so I'm personally not _too_ worried about that.
>> >> Moving away from MD5 is certainly not a bad idea, but it's not clear
>> >> whether the alternatives are any better. Sure, everyone recommends
>> >> SHA-256 at this stage, but nobody can give a rationale.
>> > MD5 is broken; SHA-1 is where MD5 was a couple of years ago, SHA256 (or
>> > higher) are significantly harder to break in practice,
>> So? If SHA256 is so much better, why is that nobody can prove it, or
>> at least can provide some evidence which supports that claim? "The
>> numbers are bigger" is the main argument at this point, which is
>> awfully similar to the usual snake-oil arguments (although there is a
>> slight difference, of course).
>
> SHA256 is better than SHA1 in the same way 2048 bit RSA keys are better
> than 512 bit RSA keys. MD5 is broken, and isn't extensible. SHA1 is
> fragile, but not broken, and is extensible. Do you have other
> suggestions?
I'd suggest the combination of several hash systems, e.g. RIPEMD-160, a
SHA-based algorithm and possibly Tiger.
>> > and there's nothing better yet.
>> In terms of security, there are some better hash functions. =20
>
> My understanding was that there aren't other hash functions that've had
> remotely similar levels of cryptographic analysis to md5 and sha. IIRC,
> the elliptic curve cryptography stuff was supposed to be similarly neat,
> until people started analysing it seriously, at which point it broke.
I'm not aware of any attacks beyond birthday attacks, which are still
infeasible for the recommended key sizes of >= 160 bits.
ECC has several patent problems, though.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
