I agree! It should be changed and i have no idea why people still use it!<br><br><div class="gmail_quote">On Dec 1, 2007 4:20 PM, Steven Adair <<a href="mailto:steven@securityzone.org">steven@securityzone.org</a>> wrote:
<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">><br>><br>> There you have it. Surely a GPL'd tool implementing this attack style
<br>> will be available shortly. And since Chinese researchers have been<br>> attacking SHA-1 lately, should SHA-256 be considered the proper<br>> replacement? I am unsure :-(<br><br></div>Yes, it would probably be a good idea. I think this link has been put out
<br>on this list in the past with respect to discussion on SHA-1:<br><br><a href="http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html" target="_blank">http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html</a><br>
<br>NIST might not be the bible to you on what to follow and implement, but<br>they are definitely worth listening to (even if you're not a U.S. Federal<br>agency) when they tell you not to use something anymore. For those that
<br>don't want to click and just want to read, here's the relevant parts:<br><br>----<br><br>March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,<br>SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
<br>applications using secure hash algorithms. Federal agencies should stop<br>using SHA-1 for digital signatures, digital time stamping and other<br>applications that require collision resistance as soon as practical, and
<br>must use the SHA-2 family of hash functions for these applications after<br>2010. After 2010, Federal agencies may use SHA-1 only for the following<br>applications: hash-based message authentication codes (HMACs); key
<br>derivation functions (KDFs); and random number generators (RNGs).<br>Regardless of use, NIST encourages application and protocol designers to<br>use the SHA-2 family of hash functions for all new applications and<br>protocols.
<br><br>----<br><br>Steven<br><a href="http://www.securityzone.org" target="_blank">http://www.securityzone.org</a><br><br>> --<br><div><div></div><div class="Wj3C7c">> Kristian Erik Hermansen<br>> "I have no special talent. I am only passionately curious."
<br>><br>> _______________________________________________<br>> Full-Disclosure - We believe in it.<br>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>> Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>><br><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.
<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">
http://secunia.com/</a><br></div></div></blockquote></div><br><br clear="all"><br>-- <br><a href="http://search.goldwatches.com/?Search=Movado+Watches">http://search.goldwatches.com/?Search=Movado+Watches</a> <br><a href="http://www.jewelerslounge.com">
http://www.jewelerslounge.com</a><br><a href="http://www.goldwatches.com">http://www.goldwatches.com</a>