DISQUS

Halvar · 3 years ago

Silly question, but couldn't the entire thing have been avoided had we

a) switched to OAEP ?
b) implemented OAEP correctly ?
c) refused to trust anyone who uses a low exponent ?

At least, if we trust the random oracle model, we have something relatively strong in our hands (OAEP). I am consistently surprised that the migration away from other, clearly weaker message padding schemes isn't happening more quickly.

Cheers,
Halvar

tyme · 3 years ago

I'd love to hear an explanation for why the people in charge of the TLS standard haven't added any ciphersuites with alternative hashes.

They add a screwball symmetric algorithm like SEED, yet they can't be bothered to add suites that use SHA-256, SHA-512, Whirlpool, or Tiger, even when there was speculation that SHA-1 would be next to fall when MD5 attacks were announced a couple years ago?

Thomas Ptacek · 3 years ago

MD5 makes this attack very slightly easier. SHA256 would make it slightly harder (you'd have a harder time sliding a bogus hash into a 1024 bit modulus). But all the engineering you could do with hash functions are for nothing if you don't get signature verification right.