SHA-1
Well, so much has been said on this subject. Dunno what's left. Guess I'm just gonna go with:
Savages in this town.
(Update: to his credit, the author of the Herald article was happy to fix the 12 million thing. Mebbe I'm just getting cranky in my old age.)
- I concur with Schneier's second statement on the matter: yes, this is an impressive result, cryptanalytically, and yeah, it's time to migrate away from SHA-1. With some haste. It's unlikely anyone's gonna get ripped off any time soon from exploits that arise, but it's also appropriate to get going on ensuring this.
- With all due respect to my erstwhile peers (I worked as a reporter for some time, some years back), it's kinda painful watching the mainstream press handle this. Really has been some mangled, confused reporting on the deal. Worst article I saw (see it here) referred to 'Schneier's team', and, weirdly, seemed clearly to imply Schneier himself had done the research and would be publishing a paper shortly (not the Chinese team). That's just really bad reporting, though, I suppose, might just have been due to translation difficulties. And, as a more typical gaffe, the otherwise essentially sensible article in The Sydney Morning Herald today blew the math (or perhaps just dropped some zeroes in layout) with their first estimate--that '12,000 years' ballpark figure for finding a collision in a space of 280 hashes with a hypothetical computer is off by 103--it should read 12,000,000.
Savages in this town.
(Update: to his credit, the author of the Herald article was happy to fix the 12 million thing. Mebbe I'm just getting cranky in my old age.)
posted by AJM at 11:18 a.m. (Permanent Link)
