Date: Wed, 13 Sep 2000 01:23:30 +0200 (CEST)
From: Igmar Palsenberg <maillist@chello.nl>
> No, not true. The mixing into the entropy pool uses a twisted LFSR, but
> all outputs from the pool (to either /dev/random or /dev/urandom)
> filters the output through SHA-1 as a whitener. The key here, though,
> and what makes this fundamentally different from yarrow, is that since
> we're feeding the entire (large) entropy pool through SHA-1, even if the
> SHA-1 algorithm is very badly broken (say as in what's been happening
> with MD5), as long as there's sufficient entropy in the pool, the
> adversary can define but minimal information about the pool, since the
> 8192 -> 160 bit transform has to lose information by definition.
Broken ?? Please explain.
This is old news. Hans Dobbertin, in about 10 hours of CPU time on a
Pentium system, can generate hash collions in MD5. This is not
something which you're supposed to be able to do with crypto checksums,
so effectively MD5 is "broken", and shouldn't be used in new
applications where a crypto checksum is required. His break is probably
not exploitable for existing uses of MD5, so some people might claim
that MD5 hasn't been "broken" yet, but merely severly bent. At some
level this is just a matter of semantics.
Regardless, the use of MD5 for new protocols/applications is not
recommend.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Sep 15 2000 - 21:00:19 EST