> A cryptographer friend of mine recently attended the NIST Hallowe'en > Hash Bash (http://www.csrc.nist.gov/pki/HashWorkshop/index.html), and > made a few notes in his blog: > > http://www.livejournal.com/users/sevenstring/7326.html > > His suggestion there was "stick to SHA2 (or maybe Whirlpool) for now". > Did anyone else here attend this workshop?
I attended, and the message I got was: use SHA-256 (or SHA-512 if you
want to be cautious) for new applications, but consider it to be an
interim solution for the 5-10 year timeframe until something better is
devised, and have the agility to switch to that "something better" when
it comes; most importantly, stop using MD5 ASAP.
Regarding your friend's suggestion to "stick with SHA2 (or maybe
Whirlpool) for now", what I wrote in my notes was:
* Asked about which two functions would be best to use in
parallel, suggestions were SHA-256+(Whirlpool/Tiger).
One of the panelists explained, though, that using two different hash
functions and concatenating the output yields a result which is not
significantly more secure than either of the functions by itself. And
the SHA family of functions were the predominant topic of the workshop;
others, such as Whirlpool, were mentioned only occasionally.
Some choice quotes from Niels Ferguson:
"SHA-1 is a wounded fish in shark-infested waters."
"Switch away from SHA-1 as soon as you can, but switch away from
MD5 first."
It's true that MD5 and SHA-1 are still acceptable for certain uses where
the current attacks aren't a threat, but Ferguson argued that it's much
easier and safer to replace them entirely than to try to analyze which
uses are still OK.
Also from my notes: SHA-1 is OK for ephemeral uses, but not for
non-repudiation and certification -- essentially, if it matters that the
signature be verified by a third party, not just the recipient, avoid
SHA-1.
Some people wanted NIST to specify an approximate target year for a hash
standard to be issued, like they did for AES. Bruce Schneier said we
don't know hashing well enough, like we knew about block ciphers for
AES, and recommended that we "wait ten years".
Several people requested that NIST publish the design criteria with
which SHA-1 was designed, but I don't remember hearing a definitive
answer to that.
(Note that I'm not a cryptographer; I attended simply as an interested
individual.)
--
Mike Paul <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part
