|
WebApp Sec
mailing list archives
Re: MD5 math question
From: Tim <tim-security () sentinelchicken org>
Date: Sat, 7 Jan 2006 09:26:14 -0500
Nopes. Or I bought the propaganda saying "an incorrect implementation of
SHA1 has been broken". Shame on me either way. So what are we left with?
SHA-<lots-of-numbers-higher-than-1> ?
Ah, yeah... There was some sort of f-up with the implementation. They
were able to quickly fix that and show that their methods still work
with the real thing.
Well, there's SHA-{224,256,384,512}[1], but those are all built on the
same math as SHA-1. They are almost surely more difficult to break,
with respect to collisions, than SHA-1, but it's still hard to trust
them.
Some alternatives are Tiger and Whirlpool, but I don't know if these
have had enough scrutiny yet to be trusted. NIST recently hosted a
workshop[2] on the issues of replacing SHA-1, and they have some
presentation slides online[3] which may be helpful.
cheers,
tim
1. http://csrc.nist.gov/cryptval/shs.htm
2. http://www.csrc.nist.gov/pki/HashWorkshop/index.html
3. http://www.csrc.nist.gov/pki/HashWorkshop/program.htm
-------------------------------------------------------------------------------
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-------------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
FW: RE: MD5 math question Vipul Kumra (Jan 04)
RE: MD5 math question Navroz Shariff (Jan 04)
RE: MD5 math question Jeff Robertson (Jan 07)
|
Intro
