On Mon, Jan 11, 2016 at 6:01 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Watson Ladd <watsonbl...@gmail.com> writes: > >>Do the RFCs require the relevant checks or not? > > No, they just specify the algorithms and bits on the wire (with a side-order > of MTI stuff for interoperability). It's up to implementers to not do stupid > things. > >>That's because real cryptographers understand that this is only 64 times >>better then SHA1, and so don't bother to mention it. > > If it's so trivial to compromise then why, of all the many, many papers > attacking TLS, has no-one every published an attack based on this? In fact, > since it's so easy, perhaps you could publish a paper demonstrating it in > practice?
SHA-1 collisions have not yet been found. Marc Stevens has published algorithms he claims reduce the complexity of finding these collisions to feasible amounts, but they have not yet been run. However, free-start collisions have been found, as have ways to modify constants in the SHA-1 IV to get collisions. > > Peter. -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
