> As for Certificate Authorities, quis custodiet ipsos custodes? Google LOL. https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Paul Gilmartin Sent: Wednesday, April 4, 2018 3:53 PM To: [email protected] Subject: Security (was: Software Delivery on Tape ...) On Wed, 4 Apr 2018 17:34:45 -0500, Walt Farrell wrote: > >Of course, you want a checksum method that is strong enough that an attacker >can't create a modified file that will have the same checksum. SHA-1 is no >longer strong enough to guarantee that, from what I've read. SHA-2 should be >strong enough. > That would be a preimage attack. I believe https://crypto.stackexchange.com/questions/53638/feasible-pre-image-attacks-against-reduced-sha-1 ... doubts the feasibility of a preimage attach on SHA-1. And even https://security.stackexchange.com/questions/170789/md5-preimage-vulnerability-in-2017 ... seems to say that MD5 is susceptible largely for short passwords. Mitigation is either longer passwords or slower encryption algorithms. If the password is shorter than the key, it's quicker to do an exhaustive search of passwords than of keys. Access to the database of encrypted passwords facilitates the attack. As for Certificate Authorities, quis custodiet ipsos custodes? -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
