Richard Lynch wrote:

Before we get a hundred posts about SHA-1 being "broken" would eveyrbody
please read:
and maybe *ALL* the contributions way down at the bottom of the original
post link?

Why do you always have to ruin our fun, Richard? Do you have something against Chicken Little? :)

You're still looking at thousands of years or millions of dollars to break SHA-1 if you want to start TODAY.

The wise reader will put "Upgrade to SHA-256" on their "ToDo" list and go
back to work now. :-)

Exactly. While I'm not sure about the time it would take to actually make use of the "exploit" found, it is certainly a long enough period of time that I'm not going to worry about it any time soon. Even with a significant increase in CPU performance it's going to be a while before this is a concern.

Though I did find the post to add meta-data such as the character distribution to the hash interesting...

I believe this is being reviewed as a possible addition to the OpenPGP standard. Then again I am no crypto expert (nor do I pretend to be, that stuff makes my head spin!). I am getting a bit OT here, but for those of you that use code that implements OpenPGP then you might want to read this:

Short version: be careful about automatically decrypting OpenPGP
messages; if you do this it is possible for your private key to be
easily compromised.

The odds on a SHA-1 being the same for two plain-texts *AND* having the same number of E's in the plain-texts? Really really really low, seems to me.

Teach a man to fish...

NEW? |

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to