[cryptography] Should Sha-1 be phased out?

Zooko Wilcox-OHearn zooko at leastauthority.com
Fri Nov 6 13:18:31 EST 2015


On Tue, Oct 20, 2015 at 8:00 AM, Joachim Strömbergson
<Joachim at strombergson.com> wrote:
>
> Esp in embedded space, md5 is still very, very common even in new
> designs. And SHA-1 is the new black.
>
> A typical setup is that someone has found out that there is a secure
> hash function called md5 and decided to implement it in their new
> system. When told that md5 is in fact broken since ages, the response is
> usually a at the moment-decision that it is not used for security, and
> that the application doesn't really have any security implications (i.e.
> that the service performed by the system has no value).

Yep. Actually the post-hoc rationalization is usually that
collision-resistance isn't needed, only (2nd-)pre-image resistance.

Some of the time this is actually true, but I think the people making
the claim don't really know whether it is true. I think what they
typically do is spend 60 seconds trying to imagine how they could
attack their own system using collisions, and then having failed to
find such an attack, they conclude that collision-resistance isn't
needed for their system.

Here's one of my favorite examples of this methodology, from Linus
Torvald: http://git.vger.kernel.narkive.com/9lgv36un/zooko-zooko-com-revctrl-colliding-md5-hashes-of-human-meaningful#post2

So, my attempted contribution to this pattern was to help specify
BLAKE2, so that instead of telling people "MD5 is broken! Switch to
this secure but slower hash function!" we could tell them "MD5 is
broken! Switch to this secure but faster hash function!"

https://blake2.net/acns/slides.html

It remains to be seen if they are any more responsive to the new
argument than they have been for the last couple of decades to the old
argument.

Regards,

Zooko


More information about the cryptography mailing list