Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)



I agree! It should be changed and i have no idea why people still use it!

On Dec 1, 2007 4:20 PM, Steven Adair <steven@xxxxxxxxxxxxxxxx> wrote:



There you have it. Surely a GPL'd tool implementing this attack style
will be available shortly. And since Chinese researchers have been
attacking SHA-1 lately, should SHA-256 be considered the proper
replacement? I am unsure :-(

Yes, it would probably be a good idea. I think this link has been put out
on this list in the past with respect to discussion on SHA-1:

http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

NIST might not be the bible to you on what to follow and implement, but
they are definitely worth listening to (even if you're not a U.S. Federal
agency) when they tell you not to use something anymore. For those that
don't want to click and just want to read, here's the relevant parts:

----

March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,
SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
applications using secure hash algorithms. Federal agencies should stop
using SHA-1 for digital signatures, digital time stamping and other
applications that require collision resistance as soon as practical, and
must use the SHA-2 family of hash functions for these applications after
2010. After 2010, Federal agencies may use SHA-1 only for the following
applications: hash-based message authentication codes (HMACs); key
derivation functions (KDFs); and random number generators (RNGs).
Regardless of use, NIST encourages application and protocol designers to
use the SHA-2 family of hash functions for all new applications and
protocols.

----

Steven
http://www.securityzone.org

--
Kristian Erik Hermansen
"I have no special talent. I am only passionately curious."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
http://search.goldwatches.com/?Search=Movado+Watches
http://www.jewelerslounge.com
http://www.goldwatches.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)
    ... on this list in the past with respect to discussion on SHA-1: ... SHA-384 and SHA-512) may be used by Federal agencies for all ... applications using secure hash algorithms. ... must use the SHA-2 family of hash functions for these applications after ...
    (Full-Disclosure)
  • [RAZOR] Problems with mkstemp()
    ... A common practice of installing 'tmpwatch' utility or similar software ... compromise secure temporary file creation mechanisms in certain applications, ... susceptible to the attack. ... safe against hijacking and common races. ...
    (Bugtraq)
  • [VulnWatch] [RAZOR] Problems with mkstemp()
    ... A common practice of installing 'tmpwatch' utility or similar software ... compromise secure temporary file creation mechanisms in certain applications, ... susceptible to the attack. ... safe against hijacking and common races. ...
    (VulnWatch)
  • [Full-Disclosure] [RAZOR] Problems with mkstemp()
    ... A common practice of installing 'tmpwatch' utility or similar software ... compromise secure temporary file creation mechanisms in certain applications, ... susceptible to the attack. ... safe against hijacking and common races. ...
    (Full-Disclosure)
  • [Full-Disclosure] [RAZOR] Problems with mkstemp()
    ... A common practice of installing 'tmpwatch' utility or similar software ... compromise secure temporary file creation mechanisms in certain applications, ... susceptible to the attack. ... safe against hijacking and common races. ...
    (Full-Disclosure)