Re: [exim] CRAM-MD5 with Courier authdaemon (with one wishli…

Góra strony
Delete this message
Reply to this message
Autor: Dennis Davis
Data:  
Dla: Jakob Hirsch
CC: 'Exim-users', D.H.Davis, ccsdhd
Temat: Re: [exim] CRAM-MD5 with Courier authdaemon (with one wishlist suggestion and a security question)
On Fri, 18 Feb 2005, Jakob Hirsch wrote:

> From: Jakob Hirsch <jh@???>
> Resent-From:  D.H.Davis@???
> To: 'Exim-users' <exim-users@???>
> Date: Fri, 18 Feb 2005 16:51:23 +0100
> Subject: [exim] CRAM-MD5 with Courier authdaemon (with one wishlist suggestion
>      and a security question)


...

> Even though everybody now thinks SHA-1 is insecure...


Not quite. See:

http://www.financialcryptography.com/mt/archives/000355.html

which includes the comment:

"it seems that Schneier forgot to mention that the paper has a footnote
which says that the attack on full SHA-1 only works if some padding
(which SHA-1 requires) is not done."

It seems that the attack weakens full SHA-1 without the padding and 
reduced round versions of SHA-1.  The results look important and perhaps 
can be improved.  But for practical purposes I think I'll stick with SHA-1 
rather than reverting to MD5.  No panic yet, certainly not for the low-key 
uses I need!
 -- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@???               Phone: +44 1225 386101