[Mac_crypto] Apple should use SHA! (or stronger) to authenticate software releases

Arnold G. Reinhold mac_crypto@vmeng.com
Fri, 16 Apr 2004 10:30:32 -0400

At 10:26 PM +0100 4/14/04, Nicko van Someren wrote:
>On 14 Apr 2004, at 4:53, Arnold G. Reinhold wrote:
>>I suppose it is educational to think about different ways to solve 
>>a problem like this, but this is getting silly. All that is needed 
>>to prevent my attack is to use calculate and publish the SHA1 hash 
>>along with the MD5 hash. Easy as can be.  No special hardware 
>Actually I think that working out this sort of defence is useful. 
>The attack you published is important because it is a way to turn 
>what should be a "matching hash" problem with a cost of 2^N into a 
>hash collision problem, with cost 2^(N/2).  No matter what hash you 
>use this represents a serious weakening.  Yes, we can all switch to 
>SHA-256 but I think it's still useful to consider ways to defend 
>against the whole attack method that you proposed.

At the risk of being tedious, I feel a need to respond because I 
think there is a matter of principle at stake. For research or 
educational purposes, it is always appropriate to ask if there is 
another way to solve any given problem. But  computer security as a 
practical matter depends on non-cyrptographers using cryptographic 
tools properly.  They cannot be expected to work out and verify each 
solution from scratch but must be given engineering guidelines and 
told to adhere to them.

I would submit that one of those guidelines must be that whenever a 
hash function is used there is a presumption of a collision attack 
and that therefore the strength of a hash is no more than half its 
output length.  Designs should based on the nonexistence of a 
collision attack (i.e. assume the full output length of a hash as its 
strength) only if absolutely necessary for performance reasons and 
only after careful  review by cryptographers.  My attack does not 
represent a "serious weakening" but rather an instructive 
confirmation of the rationale behind standard guidelines.

We should all be switching to SHA-256 for new designs and legacy 
systems that use MD5 should be rated as having 64-bit strength and 
upgraded if that is not acceptable.

Arnold Reinhold