Re: Some possible attacks on SHA1 from Melvin Carvalho on 2012-10-12 (public-webpayments@w3.org from October 2012)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 12 Oct 2012 16:08:55 +0200
To: David Wood <david@3roundstones.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, Web Payments <public-webpayments@w3.org>
Message-ID: <CAKaEYh+4D1uhx2wO9uN=oqTJASbOQ+be6ENm2f0UyrWwj7SR-A@mail.gmail.com>

On 7 October 2012 05:14, David Wood <david@3roundstones.com> wrote:

> Wikipedia has a decent description of the status and issues with SHA-1:
>   https://en.wikipedia.org/wiki/SHA-1
>

I've changed SHA-1 to SHA-2 in the webcredits spec.

Doesnt hurt to be paranoid :)


>
> Regards,
> Dave
>
>
>
>
> On Oct 6, 2012, at 23:10, Manu Sporny <msporny@digitalbazaar.com> wrote:
>
> On 10/05/2012 04:35 PM, Melvin Carvalho wrote:
>
> This article shows that attacks could be feasible by 2018
> http://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
>
>
> Thanks for the heads-up Melvin. We examined the attack, and while we
> don't agree with Schneier's assertion about the financial cost of using
> an AWS-like system to mount an attack on SHA-1, we do agree that the
> possibility exists within the next decade.
>
> This affects the PaySwarm specs, specifically the digital signature
> algorithm for signed JSON-LD messages. We explored the idea that we
> could greatly reduce the SHA-1 attack by injecting the length of the
> message in the generation of the digital signature, but instead chose to
> upgrade the spec requirements to SHA-256.
>
> SHA-256 has no known theoretical attack at present, nor is a brute-force
> attack on the algorithm known to exist that can be accomplished in the
> near term (less than 10 years into the future). As with all things
> crypto-related, this may change tomorrow, but SHA-256 seems to be the
> right solution today. SHA-3 is too new, but I expect that we will
> eventually end up using it.
>
> Dave Longley has already committed the changes to the production
> PaySwarm code. We'll push the changes to the dev.payswarm.com site soon.
> The PHP WordPress PaySwarm client was updated today:
>
>
> https://github.com/digitalbazaar/payswarm-wordpress/commit/0e0be20f20508998d04c95dc4a3009cd2e176a01
>
> as well as the JavaScript PaySwarm client:
>
>
> https://github.com/digitalbazaar/payswarm.js/commit/b8f2ce880c8858b27fad3d572350a22243d85aa3
>
> -- manu
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny)
> President/CEO - Digital Bazaar, Inc.
> blog: The Problem with RDF and Nuclear Power
> http://manu.sporny.org/2012/nuclear-rdf/
>
>
>

Received on Friday, 12 October 2012 14:09:24 UTC