Crypto, passwords

[Kurt Roeckx]

On Fri, Jan 05, 2018 at 04:24:01PM -0500, Eric S. Raymond wrote:
> Kurt Roeckx <kurt at roeckx.be>:
> > On Fri, Jan 05, 2018 at 10:04:44AM -0500, Eric S. Raymond via devel wrote:
> > > > MD5 is no longer considered safe.
> > > > Is SHA1 considered safe?  What other types should we test and/or suggest 
> > > > people use?
> > > 
> > > No, SHA1 is no longer considered safe.  The first collision was generated
> > > early last year. The git team is considering a move to SHA-2 (I think - I
> > > might be out of date on this.)
> > 
> > For both MD5 and SHA1 it depends on what property of it is
> > important, which depends on how you use it. (I have no idea how
> > NTP uses it.) Both are still secure for preimage attacks but not for
> > collisions.
> 
> This is true.  However, it is also the case that - based on historical timing
> of attack discoveries - preimage attacks tend to follow collision iductions
> relatively rapidly. For the git team to act on the assumption that a SHA-1
> preimage attack will be discovered soon is reasonable.

So I want to clarify this a little. As far as I know MD5 is actually
broken for preimage resistance, but it's only slightly faster than
bruce force. For SHA-1 it's only a reduced version that's broken. In
the long run you should not trust them, but I don't think there is a
reason to panic (if only preimage resistance is important).

I have no idea how it's used in NTP. But I understand it's some
kind of shared password? You should clearly look in how it's being
used and if that actually makes sense. Maybe it needs more than
just replacing the hash algorithm.


Kurt