Loading...

We should have seen this comming.

SHA1, SHA2, SHA3, what’s the next hash I’m going to see.

The Feb 7 FWC.com article "Hashing out encription" first paragraph reads:

Federal agencies have been put on notice that National Institute ofStandards and Technology officials plan to phase out a widely usedcryptographic hash function known as SHA-1 in favor of larger andstronger hash functions such as SHA-256 and SHA-512.

A little further down William Blurr, a NIST security guru is quoted:

"There’s really no emergency here," Burr said. "But you should beplanning how you’re going to transition — whether you’re a vendor or auser — so that you can do better cryptography by the next decade."

So are we suprised by what appeared on Schneier’s Blog yesterday:

SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.

The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu(mostly from Shandong University in China) have been quietlycirculating a paper announcing their results:

  • collisions in the the full SHA-1 in 2**69 hash operations, muchless than the brute-force attack of 2**80 operations based on the hashlength.
  • collisions in SHA-0 in 2**39 operations.
  • collisions in 58-round SHA-1 in 2**33 operations.

This attack builds on previous attacks on SHA-0 and SHA-1, and is amajor, major cryptanalytic result. It pretty much puts a bullet intoSHA-1 as a hash function for digital signatures (although it doesn’taffect applications such as HMAC where collisions aren’t important).

The paper isn’t generally available yet. At this point I can’t tellif the attack is real, but the paper looks good and this is a reputableresearch team.

More details when I have them.

The combination of the two messages makes one wonder doesn’t it.

Anyway, my main worry about all this has to do with DNSSEC that uses RSA/SHA1 based signatures.

I am not a cryptanalist and I confess I know far less than I would like to know on this subject but I figure that given the pre-defined structure of the material being hashed (a RRset wich contains well defined fields that can only have well defined vallues such as type codes) an exploit would take more than 2^33 ops. I need education… How many orders of magnitude does one gain by needing structure?

Share the joy
      

Sisi and Sissy boys

Sisi and Sissy boys



About a week ago I was invited to attend the musical “Elisabeth” in the the “Theater an der Wien“.This was the second time I attended a musical show. And although Iappreciate obviously high production quality (hydrolic platforms,costume changes every other minute, &c, &c) I just do not enjoythe music. Again it has a high production quality but for some reason Musicals do not appeal to me that much. Is it because of the cliches? Idon’t know, rock-n-roll is full of 3-chord cliches. Is it the lackof irony? That could well be, because there is one musical, which I have never seen, butlistened to many many times and that is full of irony. “Thing Fish”.

So what about this topic title… Sisi and Sissy boys.

Well as you all known “Elisabeth” Empress of Austria – Queen of Hungary was called “Sisi”. And the first line in “Thing Fish” is:

Once upon a time, musta been ’round October, fewyears back, in one o’ dose TOP SECRET LAB-MOTORIES de gubbnint keep stashed away underneathVirginia, an EVIL PRINCE, occasion’ly employed asa part-time THEATRICAL CRITICIZER set to woikin’on a plot fo de systematic GENOCIDICALREMOVE’LANCE of all unwanted highly-rhythmicindividj’lls an’ sissy-boys!

Back to listening to the hilaric adventures of our EVIL PRINCE, Ronda, Harry and Sister OB’DEWLLA ‘X.

Share the joy
      

Presidential Homograph ban

GrumpOps wrote:

Bush Promises Ban on Homographs [Permalink]

Fri Feb 11 19:46:18 EST 2005
Category [Internet Politics]

WASHINGTON, DC – In a press conference today, White House PressSecretary Scott McClellan stated that President Bush would renewattempts to institute a Constitutional amendment banning homographs.Citing recent security concerns over homographs,McClellan noted, "These homographs are more menacing than ever before.It is no longer a localized affair. Through the process ofinternationalization, they are now organized into different kinds ofgroups that make it harder for us to recognize."

Many security experts have called for the tagging ofhomographs, expressing the need for visual indicators when homographsare present. However, civil libertarians vehemently disagree, arguingthat such actions smack of the ages-old ignorance and prejudiceregarding unfamiliar, foreign characters.

So I asked GrumpOps for a reference… and Grumpops replied:

That was satire

Ouch… I honestly believed this. Does that say more about me than about the President of the USA?


Share the joy
      

Senor Coconut y Son Conjunto

Since I bought an Ipod I’ve been going retro.

I started listening to things I first bought when I was a teenager suchas “I am” by Earth Wind and Fire, “Out of the Blue” by Electric LightOrchestra and Kraftwerk’s “Computer World”.

That last album contains one track that remains appealing; “ComputerLove”. I still do not understand why. The tune is overproduced,too simple and cliche but it manages to tickle the lower belly. I ampuzzled.

Recently somebody told me that Senor Coconut y Son Conjunto did a whole album with Kraftwerk covers.

Google brings us to an article that describes some of the background

Although the disc is credited to Senor Coconut y Son Conjunto, it’s purely the work of Schmidt on keyboards and samplers, helped by three vocalists. And he’s fully aware of the irony involved in what he’s doing, noting that “since the entire album is programmed and not played by real musicians, it contains the simulation aspect and questions the term of authenticity.” At the heart of the music, though, he “tried to interpret their songs trying to imagine how a real Latin band would do them. The Latin styles I worked with are certainly uplifting and light” and form an wonderfully absurd juxtaposition with what Coconut called “the Kraftwerkian coolness.”

Do I like “Coconut”? I am not sure yet. I need to listen to it a little more to appreciate if it is more than a gimmick.

 

Share the joy
      

Trend Watcher Blog

Trend-watcher.org

I’ve had this domain for quite some time. It used to be somewhat empty and contain only one reference to my buddy "Bert". I never quite new what to do with it. On the other hand I always wanted to experiment a bit with blogging. So I decided that Trend-Watcher is not the worst name to start deploying such activity.

I got my hands out of my pocket and started toying with plog (www.plogworld.net). And now I’m proud to present. My own weblog, for as long as it lasts.

About the domain name itself.  "Bert" is the trend-watcher, I do not have any claims in the Trend department. I do not  pretend to watch, follow or set.

Enjoy.

Share the joy