Re: Summary of Bit-Level SHA Discussion
From: Brian Gladman (brg_at_nowhere.at.all)
Date: 01/11/04
- Next message: Mok-Kong Shen: "Re: Summary of Bit-Level SHA Discussion"
- Previous message: Mark Shelor: "Re: Summary of Bit-Level SHA Discussion"
- In reply to: Mark Shelor: "Re: Summary of Bit-Level SHA Discussion"
- Next in thread: Mok-Kong Shen: "Re: Summary of Bit-Level SHA Discussion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 11 Jan 2004 10:15:25 -0000
"Mark Shelor" <mshelor@comcast.removeme.net> wrote in message
news:WqKdnSRTve1rjpzd4p2dnA@comcast.com...
> Brian Gladman wrote:
>
> > And when you describe such measures as paranoid, the only conclusion I
can
> > draw from this is that you lack the experience necessary to understand
why
> > such an assessment is badly flawed. And, as I said earlier, I am used
to
> > this.
> Brian,
>
> I know you've had difficulty defending your position, but resorting to
> ad-hominem attacks won't help. If you have a real (i.e. technical)
> point to make, I kindly request that you make it.
I have no difficulty in defending my position.
> Your categorical criticism of bit-level hashing, on the grounds that it
> introduces "non-specific security vulnerabilities", is neither
> insightful nor helpful.
You know my point well so I don't need to repeat it. It is not helpful for
you but it might help others to understand where vulnerabilites may exist in
applications. Personally I take this as obvious so I agree that it is not
in the least insightful but it is clear from the reactions of others that
some are unaware that this sort of vulnerability is real in some situations.
> make no effort whatsoever to suggest what these vulnerabilities might
> be, so that some sort of sensible analysis could be performed to
> determine their possible scope and severity.
I don't make the effort to spell out all the reasons for this becuase those
who have the experience to understand it will consider it so obvious that it
is not worth saying. And those who cannot appreciate it will need far too
much background to be bought to the point where they can. But the people
between these two extremes who may find it useful to know that this
'feature' of applications can be exploited.
> Most importantly though, as already pointed out now by several other
> respondants, your criticism is actually directed at the SHA standard
> itself, not just at BIT implementations. In order to make the standards
> committee listen to you, you'll need to come up with something more
> substantial than "non-specific security vulnerabilities". And, one
> piece of advice: if you want the committee to take you seriously, I
> suggest you not use similar ad-hominem attacks against them.
I am not attacking you. I am simply drawing a conclusion from your belief
that the elimination of unused functionality (dead code) in a critical
security application could be described as a 'paranoid' thing to do. I
don't think either of us is irrational so I conclude that our domains of
security experience cannot overlap. And, as I have also pointed out
before, I have no problem with the SHA standards as they now are.
My point is a simple one (even 'obvious') - implemented but unused
functionality in a high end security application is a potential source of
security vulnerabilities that would not be present if this functionality was
removed.
I make no wider point than this . If others disagree, so be it.
Brian Gladman
- Next message: Mok-Kong Shen: "Re: Summary of Bit-Level SHA Discussion"
- Previous message: Mark Shelor: "Re: Summary of Bit-Level SHA Discussion"
- In reply to: Mark Shelor: "Re: Summary of Bit-Level SHA Discussion"
- Next in thread: Mok-Kong Shen: "Re: Summary of Bit-Level SHA Discussion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
