[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Cfrg] Applications of target collisions: Pre or post-datingMD5-based RFC 3161 time-stamp tokens
- To: "Weger, B.M.M. de" <b.m.m.d.weger at TUE.nl>, "Steven M. Bellovin" <smb at cs.columbia.edu>, "Alfonso De Gregorio" <adg at crypto.lo.gy>
- Subject: RE: [Cfrg] Applications of target collisions: Pre or post-datingMD5-based RFC 3161 time-stamp tokens
- From: "Hallam-Baker, Phillip" <pbaker at verisign.com>
- Date: Thu, 26 Oct 2006 18:04:56 -0700
- Cc: ietf-pkix at imc.org, hash-forum at nist.gov, cryptography at metzdowd.com, cfrg at ietf.org
- List-help: <mailto:cfrg-request@ietf.org?subject=help>
- List-id: Crypto Forum Research Group <cfrg.ietf.org>
- List-post: <mailto:cfrg@ietf.org>
- List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
- List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
- Thread-index: Acb5IgvzKX79q9vhQkm+eNPYvwtmtAADvSuwAAwhrLA=
- Thread-topic: [Cfrg] Applications of target collisions: Pre or post-datingMD5-based RFC 3161 time-stamp tokens
One thing that always concerns me in these issues is that it appears that some people look for the commercial CAs to take a lead in declaring algorithms obsolete.
This is a very bad assumption. While commercial CAs can and do take a lead in promoting support for stronger algorithms (we have had 2048 bit roots for over 5 years) it is not our function to force people to upgrade applications by withdrawing support for crypto that may fall short of the absolute state of the art.
With the exception of the brute force attacks against DES (a product of the 70s) none of the recent theoretical advances in cryptology allow a practical attack against a real system. Even the DES attack is a pretty remote one.
Clearly these attacks are significant enough to say 'do not use these algorithms in new infrastructure you plan to use for the next 20 years. That is not the same as saying 'throw away anything that uses it'.
It's the same thing with my 1977 MGB. It does not have anti-lock brakes or airbags. I still drive it[1] even though I would never buy a new car that did not have those fitted.
[1] OK I will drive it after I have replaced the wiring.
> -----Original Message-----
> From: Weger, B.M.M. de [mailto:b.m.m.d.weger at TUE.nl]
> Sent: Thursday, October 26, 2006 3:21 PM
> To: Steven M. Bellovin; Alfonso De Gregorio
> Cc: ietf-pkix at imc.org; hash-forum at nist.gov; cfrg at ietf.org;
> cryptography at metzdowd.com
> Subject: RE: [Cfrg] Applications of target collisions: Pre or
> post-datingMD5-based RFC 3161 time-stamp tokens
>
> Hi Steven,
>
> > So how close are we getting to first or second preimage attacks?
>
> As far as we know, not one bit closer.
> Best known attack on MD5 preimage resistance still is brute force.
>
> You may interpret our result as enlarging the applicability
> of collision attacks. In that sense the gap to preimage
> attacks has diminished. But we have no measure available to
> tell by how much.
>
> Grtz,
> Benne de Weger
>
> _______________________________________________
> Cfrg mailing list
> Cfrg at ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
>
>
_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg