- From: David Wood <david@3roundstones.com>
- Date: Sat, 6 Oct 2012 23:14:35 -0400
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: Web Payments <public-webpayments@w3.org>
- Message-Id: <66EDEBC1-7587-44CE-AFAA-1C9F3A94C835@3roundstones.com>
Wikipedia has a decent description of the status and issues with SHA-1: https://en.wikipedia.org/wiki/SHA-1 Regards, Dave On Oct 6, 2012, at 23:10, Manu Sporny <msporny@digitalbazaar.com> wrote: > On 10/05/2012 04:35 PM, Melvin Carvalho wrote: >> This article shows that attacks could be feasible by 2018 >> http://www.schneier.com/blog/archives/2012/10/when_will_we_se.html > > Thanks for the heads-up Melvin. We examined the attack, and while we > don't agree with Schneier's assertion about the financial cost of using > an AWS-like system to mount an attack on SHA-1, we do agree that the > possibility exists within the next decade. > > This affects the PaySwarm specs, specifically the digital signature > algorithm for signed JSON-LD messages. We explored the idea that we > could greatly reduce the SHA-1 attack by injecting the length of the > message in the generation of the digital signature, but instead chose to > upgrade the spec requirements to SHA-256. > > SHA-256 has no known theoretical attack at present, nor is a brute-force > attack on the algorithm known to exist that can be accomplished in the > near term (less than 10 years into the future). As with all things > crypto-related, this may change tomorrow, but SHA-256 seems to be the > right solution today. SHA-3 is too new, but I expect that we will > eventually end up using it. > > Dave Longley has already committed the changes to the production > PaySwarm code. We'll push the changes to the dev.payswarm.com site soon. > The PHP WordPress PaySwarm client was updated today: > > https://github.com/digitalbazaar/payswarm-wordpress/commit/0e0be20f20508998d04c95dc4a3009cd2e176a01 > > as well as the JavaScript PaySwarm client: > > https://github.com/digitalbazaar/payswarm.js/commit/b8f2ce880c8858b27fad3d572350a22243d85aa3 > > -- manu > > -- > Manu Sporny (skype: msporny, twitter: manusporny) > President/CEO - Digital Bazaar, Inc. > blog: The Problem with RDF and Nuclear Power > http://manu.sporny.org/2012/nuclear-rdf/ >
Received on Sunday, 7 October 2012 03:15:05 UTC