Securely downloading Ubuntu
Neal McBurnett
neal at bcn.boulder.co.us
Tue Jan 29 21:35:04 UTC 2008
On Tue, Jan 29, 2008 at 02:48:44PM +0100, krstic at solarsail.hcs.harvard.edu wrote:
> On Jan 29, 2008, at 1:16 PM, Colin Watson wrote:
> > Do you know what the state of cryptanalytic research is on
> > Whirlpool? My
> > concern is that the MD5/SHA family, for all its faults, has been
> > extremely extensively cryptanalysed, and at least we know where we
> > stand, while the other families are still relatively unknown.
>
> That's correct. Whirlpool is AES-based, which is slightly reassuring,
> but its designers have to my knowledge never presented it in an
> academic conference; even so, it passed quite some scrutiny when it
> was submitted to (and subsequently selected by) the NESSIE project.
> For high-security applications, combining a SHA-2 variant and either
> RIPEMD-160 or Whirlpool is sufficient to satisfy even the
> professionally paranoid among us. I chose a SHA-256+Whirlpool
> combination for signature verification in the OLPC firmware.
Offhand, this sounds like the right approach to me. Opinions will
be volitile for the next several years with the focus on the field
and the ongoing NIST Hash Algorithm Competition
http://csrc.nist.gov/groups/ST/hash/
On Tue, Jan 29, 2008 at 02:36:41PM +0100, krstic at solarsail.hcs.harvard.edu wrote:
> On Jan 28, 2008, at 5:28 PM, Neal McBurnett wrote:
> >Cryptographers are nervous about not only MD5, but also all the
> >functions in the same class, which includes SHA-1 and SHA-256. The
> >latter ones use more bits and thus have more life in them than MD5
>
> This is an oversimplification. The SHA-2 family is not merely a longer
> SHA-1; while closely based on SHA-1, the SHA-2 compression function is
> different enough that the resulting hashes are much stronger, and
> practical attacks on SHA-2 are considered unlikely in at least the
> next ten years.
Yes, definitely an oversimplification :-) But Arjen Lenstra, one of
the folks involved in finding holes in the current set of hash
functions, disagreed when he spoke at our workshop 2 years ago. His
.ppt is online:
http://middleware.internet2.edu/pki05/proceedings/#lenstra-hashing_crypto
He characterizes the changes in SHA-2 as "tweaks" on the same
iterative design that both MD5 and SHA-1 use, and emphasizes that
we've there is a lot of fundamental stuff about designing hashes that
we don't really understand yet. Others probably disagree and I
haven't gotten a recent update, but the nature of this field is
that attacks come suddenly and can have big impacts, so I would be
more cautious, and I think we agree that two relatively diverse hashes
like sha-256 and whirlpool would be prudent.
-Neal
More information about the Ubuntu-devel-discuss
mailing list