Security team successfully cracks SSL using 200 PS3's and MD5
morrowc.lists at gmail.com
Sat Jan 3 17:31:53 UTC 2009
On Sat, Jan 3, 2009 at 10:49 AM, Steven M. Bellovin <smb at cs.columbia.edu> wrote:
> On Sat, 03 Jan 2009 09:35:06 -0500
> William Warren <hescominsoon at emmanuelcomputerconsulting.com> wrote:
>> Everyone seems to be stampeding to SHA-1..yet it was broken in 2005.
>> So we trade MD5 for SHA-1? This makes no sense.
> (a) SHA-1 was not broken as badly. The best attack is, as I recall,
> 2^63, which is computationally infeasible without special-purpose
special purpose? or lots of commodity? like the Amazon-EC2 example
used in the cert issue? (or PS3s or...)
> (b) Per a paper Eric Rescorla and I wrote, there's no usable
> alternative, since too many protocols (including TLS) don't negotiate
> hash functions before presenting certificates. In particular, this
> means that a web site can't use SHA-256 because (1) most clients won't
> support it; and (2) it can't tell which ones do. (Note that this
> argument applies just as much to combinations of hash functions --
> anything that *the large majority of today's* browsers don't implement
> isn't usable.)
This is a function of an upgrade (firefox3.5 coming 'soon!') for
browsers, and for OS's as well, yes? So, given a future flag-day (18
months from today no more MD5, only SHA-232323 will be used!!)
browsers for the majority of the market could be upgraded. Certainly
there are non-browsers out there (eudora, openssl, wget,
curl..bittorrent-clients, embedded things) which either will lag more
or break all together.
> These two points lead us to (c): security is a matter of economics, not
> algorithms. Switching now to something else loses more in connectivity
> or customers than you would lose from such an expensive attack.
only if not staged out with enough time to roll updates in first, right?
More information about the NANOG