- From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
- Date: Wed, 13 Jan 2010 12:12:49 -0500
- To: ext Harold Lockhart <hal.lockhart@oracle.com>
- Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, Peter Saint-Andre <Peter.SaintAndre@webex.com>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
True, it is a reference to a book that can be obtained from a library or purchased. Moreover the link provides useful information for following up. RFC 4270 is dated 2005 and I note it states [[ The attacks against SHA-1 are not feasible with today's computers, but will be if the attacks are improved or Moore's Law continues to make computing power cheaper. ]] Thus continuing the reference to Wang paper provided by Hal might be more appropriate. regards, Frederick Frederick Hirsch Nokia On Jan 13, 2010, at 12:08 PM, ext Harold Lockhart wrote: > Well as I understand it, the idea was to cite a detailed > cryptographic analysis for those who wished such information. Given > that it is not a normative reference, it seems reasonable to provide > the reference. After all, people frequently buy books on computer > subjects to increase their professional knowledge. > > There are a number of problems with citing RFC 4270. First of all, > it turns around and cites the Wang papers for details, so there is > no improvement there. More importantly, it is seriously out of date. > At the time it was written it was thought that collisions were the > only problem. It has now been demonstrated that there are forging > and key recovery attacks on the order of sqr(n). > > Hal > >> -----Original Message----- >> From: Peter Saint-Andre [mailto:Peter.SaintAndre@webex.com] >> Sent: Wednesday, January 13, 2010 11:49 AM >> To: Frederick Hirsch; Harold Lockhart >> Cc: public-xmlsec@w3.org >> Subject: Re: Reference for SHA-1 being broken >> >> >> Instead of linking to for-pay content, I still think it would >> be appropriate >> to reference RFC 4270 <http://tools.ietf.org/html/rfc4270> >> >> >> On 1/13/10 8:26 AM, "Frederick Hirsch" >> <Frederick.Hirsch@nokia.com> wrote: >> >>> thanks, I'll add this to the reference unless anyone objects. >>> >>> regards, Frederick >>> >>> Frederick Hirsch >>> Nokia >>> >>> >>> >>> On Jan 13, 2010, at 10:19 AM, ext Harold Lockhart wrote: >>> >>>> Here is a link, but you have to pay to get more than the abstract. >>>> >>>> http://www.springerlink.com/content/26vljj3xhc28ux5m/ >>>> >>>> Hal >>>> >>>>> -----Original Message----- >>>>> From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com] >>>>> Sent: Tuesday, January 12, 2010 3:58 PM >>>>> To: Harold Lockhart >>>>> Cc: Frederick Hirsch; public-xmlsec@w3.org >>>>> Subject: Re: Reference for SHA-1 being broken >>>>> >>>>> >>>>> thanks. Is there a URL? >>>>> >>>>> regards, Frederick >>>>> >>>>> Frederick Hirsch >>>>> Nokia >>>>> >>>>> >>>>> >>>>> On Jan 12, 2010, at 3:45 PM, ext Harold Lockhart wrote: >>>>> >>>>>> Well Wang's team has published a bunch of papers in 2005 >> and their >>>>>> initial results merely weakened SHA-1, while completely breaking >>>>>> MD-5. However this seems to be the paper which convinced >> everybody >>>>>> that SHA-1 had to be phased out in fairly short order: >>>>>> >>>>>> >>>>>> Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the >> Full SHA-1. >>>>>> In Shoup, V., editor, Advances in Cryptology - CRYPTO 2005, >>>>>> 25th Annual International Cryptology Conference, Santa Barbara, >>>>>> California, USA, >>>>>> August 14-18, 2005, Proceedings, volume 3621 of LNCS, >> pages 17 36. >>>>>> Springer, 2005. >>>>>> >>>>>> >>>>>> Hal >>>>>> >>>>> >>>>> >>>>> >>> >>> >> >>
Received on Wednesday, 13 January 2010 17:13:53 UTC