eap Mailing List: Re: SHA-0 broken

[Nicolas Williams (Nicolas.Williams]

On Tue, Aug 17, 2004 at 01:22:28PM +0200, Thomas Otto wrote:
> Hi all, 
> 
> At Crypto 2004, Biham and Chen presented their attack on SHA-0.
> An introductory article from slashdot.org ([1]), entitled "SHA-0 Broken, 
> MD5 Rumored Broken",  and presentation slides ([2]) from the 
> conference may provide some informations.
> 
> Since many protocols make heavy use of MD5 and RIPEMD-128 
> and SHA-1 is very similar to SHA-0, this is possibly the beginning 
> collapse of a big part of the Internet architecture. 

They've found a relatively fast f(M) -> M' such that H(M) = H(M'), where
H is SHA-0, MD-5, ... but NOT SHA-1.

This is worrisome, but not too much so.

If an f(x) -> M such that H(M) -> x is found, where f() is relatively
fast, then I think we should worry :)

> Now, two questions arise.
> 
> First, is TLS affected by this vulnerability? This idea came in mind 
> since the PRF relies on the abovementioned (semi-)broken cryptographic
> algorithms. 
> 
> PRF(secret, label, seed) = 
> P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed);
> 
> Second, are EAP methods, that make use of TLS, subsequently 
> be threatened?
> 
> Your comments or ideas are highly appreciated

There's been some discussion of this topic at various fora, such as
Slashdot, cryptography lists, various blogs, and I think the general
conclusion is that these findings are mostly only worrisome because they
cast doubt over the overall security of these hash functions -- i.e.,
who knows what else will be found.

The use of SHA-1 in HMAC, for example, seems to be completely not affect
ed by collisions in SHA-1, and the use of SHA-1 in general in IETF
security protocols also seems fine.  PKIX and the like are more
affected.

Nico
--