Richard Lynch wrote: ...
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
Before we get a hundred posts about SHA-1 being "broken" would eveyrbody please read: http://nuglops.com/blog/index.php?p=1021 and maybe *ALL* the contributions way down at the bottom of the original post link?
Why do you always have to ruin our fun, Richard? Do you have something against Chicken Little? :)
You're still looking at thousands of years or millions of dollars to break SHA-1 if you want to start TODAY.
The wise reader will put "Upgrade to SHA-256" on their "ToDo" list and go back to work now. :-)
Exactly. While I'm not sure about the time it would take to actually make use of the "exploit" found, it is certainly a long enough period of time that I'm not going to worry about it any time soon. Even with a significant increase in CPU performance it's going to be a while before this is a concern.
Though I did find the post to add meta-data such as the character distribution to the hash interesting...
I believe this is being reviewed as a possible addition to the OpenPGP standard. Then again I am no crypto expert (nor do I pretend to be, that stuff makes my head spin!). I am getting a bit OT here, but for those of you that use code that implements OpenPGP then you might want to read this:
http://www.pgp.com/library/ctocorner/openpgp.html
Short version: be careful about automatically decrypting OpenPGP messages; if you do this it is possible for your private key to be easily compromised.
The odds on a SHA-1 being the same for two plain-texts *AND* having the same number of E's in the plain-texts? Really really really low, seems to me.
-- Teach a man to fish...
NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-general&w=2 STFM | http://www.php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHP&submitform=Find+search+plugins
Attachment:
signature.asc
Description: OpenPGP digital signature
