Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
Steven M. Bellovin
smb at cs.columbia.edu
Fri Jan 2 23:07:48 UTC 2009
On Fri, 2 Jan 2009 16:51:53 -0600
Skywing <Skywing at valhallalegends.com> wrote:
> Of course, md5 *used* to be good crypto.
>
See http://www.cs.columbia.edu/~smb/blog/2008-12/2008-12-30.html for
the links, but MD5 has been suspect for a very long time.
Dobbertin found problems with it in 1996. The need for caution with it
was not just knowable but known, and stated publicly. I'm sure others
did so as well; I can only easily quote my own works. From the second
edition of my Firewalls book, in 2003:
Additionally, \i{SHA} has replaced \i{MD5}, as the latter
appears to be weaker than previously believed.
and
Hints of weakness have shown up in MD5 and RIPEMD-160; cautious
people will eschew them, though none of the attacks are of use
against either function when used with HMAC\@.
As of this writing, the \i{NIST} algorithm appears to be the
best choice. For many purposes, the newer versions of SHA are
better; these have block sizes ranging from 256 to 512 bits.
Even if that were not enough, Wang et al presented the actual
collisions in 2004. There have been many updates and patches to more
or less everything since then...
Yes -- if you pick something that's very weak, you can get caught by
surprise. But modern algorithms don't fall all at once.
I should add, of course, that if you use bad algorithms or bad
protocols, it doesn't matter where you store the public key. When I
said that the update problem was easier, what I was saying is that
you're not relying on outside parties for verification of identity,
etc., it's all your own data.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list