Getting the details right..

A C-Net story today reports:

The excitement began Thursday with an announcement that French computer scientist Antoine Joux had uncovered a flaw in a popular algorithm called MD5, often used with digital signatures. Then four Chinese researchers released a paper that reported a way to circumvent a second algorithm, SHA-0. err, um. Joux announced a SHA-0 collision, while the chinese found the MD5 collision.

The attack doesn't really "circumvent" SHA-0, and it's not like anyone actually uses the original SHA .. NIST announced that it was flawed in some unspecified way and replaced by SHA-1 which added a rotate to the message schedule for improved mixing.

The report then goes on to mention the use of MD5 by the Solaris Fingerprint Database -- a list of MD5 hashes of officially released solaris binaries -- without clarifying that the attacks on MD5 announced yesterday are not directly relevant to the use of MD5 by the SFPDB.

The research may well be a stepping stone to a future preimage attack on MD5, but it does not put it at risk today; the research likely also will point towards newer hash functions which are resistant to known attacks.

And I can't even tell what Declan meant by: To write a specific backdoor and cloak it with the same hash collision may be much more time-intensive.

Comments:

Post a Comment:
Comments are closed for this entry.
About

sommerfeld

Search

Top Tags
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today