From: Bogdan Sass (bogdan.sass@catc.ro)
Date: Wed Dec 31 2008 - 06:24:20 ARST
Joseph Brunner wrote:
> Um, and what version of SHA does Cisco use?
>
> http://www.webpronews.com/topnews/2005/02/21/sha-encryption-algorithm-cracke
> d
>
> oh, well on to SHA-2 and TWOFISH then huh?
>
Sensationalist headlines aside, SHA1 has not _yet_ been broken. The
research mentioned there refers to an attack that can bring the
complexity of a collision attack from 2^80 to 2^69. Which is still
computationally infeasible today (or, as Schneier puts it, "at the edge
of feasibility").
http://www.techworld.com/security/news/index.cfm?NewsID=3156
http://www.techworld.com/security/features/index.cfm?featureid=1213
However, this leaves SHA1 exactly where MD5 was a couple of years
ago (the first collision attacks on MD5 were described in 2004, IIRC).
Which means SHA1 might still be secure for a short while, but very soon
we will need to move on to stronger hash algorithms (NIST recommends
that SHA1 should be phased out by 2010).
The question is: which stronger algorithms? As far as I know, we
have no proven strong hash algorithms.
*SHA-2 (which includes SHA-256, SHA-384, SHA-512) is just an
extension of SHA-1 - which makes it plausible that a critical flaw
discovered in SHA-1 will also affect SHA-2.
*Twofish is (from what I recall) a symmetric cipher, not a hash
function.
*other algorithms might be more secure, but lack support in
hardware/software (how many IOSs have you seen that support Tiger hash,
for example?)
For a while now I have been quoting people saying that we need
another competition just like the one in 1997 (when AES was born) - but
this time for hash algorithms. Well, it looks like it is finally
happening - and not a moment too soon!
http://www.wired.com/politics/security/commentary/securitymatters/2008/11/securitymatters_1120
-- Bogdan Sass CCNP,CCSP,JNCIA-ER,CCIE #22221 (RS) Information Systems Security Professional "Curiosity was framed - ignorance killed the cat"Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:10 ARST