also sprach Arno Wagner <arno@xxxxxxxxxxx> [2009.07.17.1945 +0200]: > SHA-1 is not vulnerable for this application. It may become > vulnerable one day, but currently it is just a bad idea for > user-generated certificates and the like, since the known > vulnerabilities require you to control both plain texts > and to know the hash (which you do when you have one > plain-text). Sure, but I am still curious. And I think it should be possible to change the hash for new slots, which is why I filed Debian bug #537385 > However if you really want to rip it out, you have to create new > keys, since sha-1 is used in PBKDF2 and you cannot really reverse > that. You do however not need to recreate the filesystem. What you > do is to make a raw image backup of the decrypted device (not > mounted). Then you do your new encryption, and restore that into > the nnew decrypted device. Admittedly a filesystem backup and > recreation before restore is easuier. But since you have to hack > the PBKDF2 code anyways, the backup and restore is the easy part. This sounds painful. ;) -- martin | http://madduck.net/ | http://two.sentenc.es/ "geld ist das brecheisen der macht." - friedrich nietzsche spamtraps: madduck.bogus@xxxxxxxxxxx
Attachment:
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
