sarsip: "...colliding messages with two arbitrary prefixes..." sarsip: since January sarsip: "...two months of computations using 900...GPUs ..." sarsip: "...attacks that have been practical on MD5 since 2009 are now practical on SHA-1..." sarsip: Oh ok. You mean REALLY don't use SHA-1. sarsip: SPEAK TO ME SHA-1!~ sarsip: SPEAK TO ME!!! sarsip: I guess this is yet another way to spell ALWAYS USE HMAC and/or always prefix with length and/or always provide length out-of-band. But OK, we get the message. sarsip: recent attacks such as this seem to rely more and more on clever computation speed-ups, more-so than mathematical insights, showing perhaps that one of the main weaknesses in the public crypto community of the past has been an over-preponderance of clever mathematicians in comparison with the quanitity of clever programmers sarsip: am I right, or am I right? sarsip: that and the increasing computational power... sarsip: not dead, resting sarsip: SHA-1, meet HMAC sarsip: it was about to speak when the cock crowed sarsip: or stone dead? sarsip: welcome to #infoanarchy, where SHA-1 is SHA-0's headless zombie twin sarsip: "...over and over again ... 'kill me'." OOOOOOOOO: my doctor just called and reminded me to stop anthropomorphising cryptographic primitives. I put him back in the box with my 3 DES tokens. OOOOOOOOO: SHA I agree OOOOOOOOO: (porno music plays) OOOOOOOOO: HMAC kills extension attacks, dead. Because math. OOOOOOOOO: * For some values of dead. OOOOOOOOO: (but actually, HMAC works every time, see math) OOOOOOOOO: ...and afaicr you don't actually need the key, let alone any special padding of the key, to prevent the extension attack OOOOOOOOO: (but you have to keep the internal hash result secret) OOOOOOOOO: this works because the first hash result is a fixed length, and the external hashing is done without any place for extension to be added OOOOOOOOO: it's so simple you have to wonder why it isn't built into the SHA standard to begin with ... caveat hax0r OOOOOOOOO: the threat model then becomes people who can perform the attack given in main link, plus who have a dictionary attack on a significant number of hashes of length 160bit, and can figure out some way to combine those. add even a published key, and it becomes nigh impossible to conceive of an attack (i know, that's their day job...) ... make a secret key and ... if nobody found a backdoor in SHA1 after 25 years, who thinks there is one? OOOOOOOOO: </devil> OOOOOOOOO: hashing a further 160 bits costs so close to nothing as to not matter at all. OOOOOOOOO: particularly if the alternative is to use a more expensive hash algorithm :-) SHA1 is fast, even on old hardware. newer algorithms are often fast in some hardware, and not others. OOOOOOOOO: or panic OOOOOOOOO: PGP v3 used raw MD5. v4 uses SHA-1 plus length. OOOOOOOOO: Do we trust security software which demonstrates an ignorance of basic cryptographic principals, even if they fix it up later? OOOOOOOOO: really, it's best to at least seeded-hash-of-a-seeded-hash, and the hardest part imho is how to not forget the seed
