IMHO, this is a major news item, but does not warrant any action on any
administrator's part today.
The Schneier letter cited that SHA1 has been broken down to 2^69 strength.
I have not yet looked over the paper itself as it is not public, but just
for reference, MD5 only provides 2^64 strength (pre-weakening), so weakened
SHA1 is still a good option. 2^69 is still beyond our ability to brute
force. I repeat, no one has been able to publicly test a key space as large
as 2^69 in polynomial time. Additionally, as James pointed out, the
hmac-sha1 construct is not affected by this so you are still safe using it.
Collisions are not a big deal when you are appending a key to the front of
the message.
The real concern here is that SHA1 is starting to leak, and will most likely
continue to leak. You can expect the see the 2^69 key space shrink over the
next few years. So, today, I don't think you need to do anything. However,
it is past time for the community to get serious about developing a new hash
algorithm. Another AES type contest sounds like just the thing we need.
For alternatives, in the near term you can look to SHA256,SHA384,SHA512.
They will stretch out the key space and prolong the inevitable demise of the
SHA-like algorithms, by a good bit. Hopefully these will show up in TLS
sooner rather than later, but to be clear, they will be weakened by these
techniques as well. Remember thought, weakening something to 2^100 does not
render it unusable. We are still not able to brute force anything near that
size with current technology.
This is a big news item in the world of cryptography, but it is a small news
item in the world of everyday practical security.
Charlie
-----Original Message-----
From: openvpn-users-***@lists.sourceforge.net
[mailto:openvpn-users-***@lists.sourceforge.net] On Behalf Of Whit
Blauvelt
Sent: Wednesday, February 16, 2005 9:21 AM
To: openvpn-***@lists.sourceforge.net
Subject: Re: [Openvpn-users] Schneier saying that SHA1 has been broken
Post by James YonanIn any case, OpenVPN is flexible enough that you can choose any other
secure hash supported by OpenSSL using the --auth directive. SHA1 is the
default, but it's not hardcoded. SSL/TLS may be another story though.
Does anyone have a recommendation from among the alternatives? Do any of
them have platform-specific issues? Is one of them cryptographically sexier
than the rest, by present reputation?
Whit
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Openvpn-users mailing list
Openvpn-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.8 - Release Date: 2/14/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.8 - Release Date: 2/14/2005