l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2005 Feb 16 21:10

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] Fwd: [vox-tech] Fwd: Re: [suse-security] SHA-1 broken -impact on SuSE linux versions
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] Fwd: [vox-tech] Fwd: Re: [suse-security] SHA-1 broken -impact on SuSE linux versions




----------  Forwarded Message  ----------

Subject: [vox-tech] Fwd: Re: [suse-security] SHA-1 broken - 
impact on SuSE linux versions
Date: Wednesday 16 February 2005 07:48 pm
From: wild bill <hammer29@sbcglobal.net>
To: vox-tech@lists.lugod.org

From the discussion on suse-security list regarding SHA-1
broken

----------  Forwarded Message  ----------

Subject: Re: [suse-security] SHA-1 broken - impact on SuSE
linux versions
Date: Wednesday 16 February 2005 07:01 am
From: Dana Hudes <dhudes@tcp-ip.info>
To: Polarizer <Polarizer@codixx.com>
Cc: suse-security@suse.com

Ok I now have read Bruce's blog on the subject.
The paper in question is from a group of Chinese
 researchers and as yet is unpublished; they have, as is
 customary, been circulating drafts and/or preprints
 privately. The group in question is reportedly an
 established and respected cryptanalyst team.

What is reported is that there is a collision attack.
The one-line summary is alarmist.
It is a very, very difficult attack requiring 2**69
 operations. The claim of "broken" is because a brute-force
 attack on SHA-1 requires 2**80 operations.

Its a question of what are you protecting?
Nuclear weapon launch codes never used SHA-1 to begin with,
 they use at least AES-256 and the codes are changed
 regularly. Same for other such information. I don't
 believe anyone encrypts sensitive compartmentalized
 information with SHA-1 in the first place.

On our practical level, SHA-1 is fine for digital signature
 of SuSE RPM for at least another couple of years.
I would say it is also still acceptable for credit card
 information for another year since credit cards expire
 within 3 years.

 On Wed, 16 Feb 2005, Polarizer wrote:
> >>What impact does is have for our SuSE linux
> >> installations. Where is it used by default in standard
> >> packages and where by default in packages to install
> >> additionally via Yast.
> >
> > We are not that mathematically inclined to evaluate
> > that without looking at the paper...
> >
> > We are eagerly awaiting Bruces and other crypto experts
> > evaluations.
> >
> > Ciao, Marcus
>
> Sorry Marcus, this was not what i asked for at all. I
> wouldn't like to discuss the mathematical aspects, but
> the consequences of the statement
>
> <quote>SHA-1 has been broken. Not a reduced-round
> version. Not a simplified version. The real thing</quote>
> [1].
>
> Broken is broken, isn't it?
>
> SHA-1 is used by several of the software packages
> provided with suse linuxes. Any sentences on this very
> issue from suse or any other here on the list.
>
> The polarizer
>
> polarizers at its best
> http://www.glass-polarizers.com
>
> [1] http://www.schneier.com/blog/
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail:
> suse-security-help@suse.com Security-related bug reports
> go to security@suse.de, not here

--
Check the headers for your unsubscription address
For additional commands, e-mail:
 suse-security-help@suse.com Security-related bug reports
 go to security@suse.de, not here

-------------------------------------------------------
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech

-------------------------------------------------------
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.