Victor Duchovni wrote (ironically, just a week ago): > No, it is the protocol design (how all the pieces fit together), not the > specific algorithms that make it secure (yes the pieces have to have > the right general properties, but this is secondary).
I can't resist pointing out how today's news has made my point: http://www.win.tue.nl/hashclash/rogue-ca/ MD5 has the right general properties, but the protocol design failed. Why? Because it used an unsuitable algorithm. > > If we want secure compare > > by hash, then almost any sync protocol that uses SHA-256 will > > be fine but > > almost any that uses MD5 will not. Why? Because SHA-256 is good > > for compare > > by hash and MD5 is not. Any protocol that's not brain-damaged that uses > > SHA-256 will work, and any that uses MD5 will not. > MD5 is (still) vastly stronger (no known second-preimage attacks) in most > applications than the weakest parts in real security systems. Spending > time choosing between MD5 to SHA1 is in most cases a waste of time. Sure, > use SHA1, it is best practice to do so, but this is extremely likely to > have any positive impact on the security of the system in question: You still think so? As I said: >> When we have a set of security requirements, the first thing >> we do is select the algorithms that meet those requirements, >> then we look for protocols that implement them. SSL uses MD5 for compare-by-hash. MD5 is broken for compare-by-hash in a situation where an attacker knows the correct input and can choose his own input. My point is not that this particular break is the end of the world or that people should disable MD5 right now. Victor was certainly right when he said: > If leaving MD5 enabled improves interoperability, leave it enabled... My point is that the first think you should do after figuring out your threat model and requirements is investigate the algorithms that can defeat that threat model and meet those requirements. Then look for a protocol that implements those algorithms. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
