[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Re: What security implications does the recent attacks on HASH algorithms have for OpenVPN?


  • Subject: [Openvpn-users] Re: What security implications does the recent attacks on HASH algorithms have for OpenVPN?
  • From: Daniel Pittman <daniel@xxxxxxxxxxxx>
  • Date: Thu, 02 Sep 2004 18:17:20 +1000
  • Cancel-lock: sha1:osBPqe2F18h+qeQqeSB7LKF8GF8=

On 2 Sep 2004, Jon Bendtsen wrote:
> http://www.cryptography.com/cnews/hash.html
>
> "Cryptography Research has received many inquiries about the hash 
> collision attacks that were recently announced at the CRYPTO 2004 
> conference. This document attempts to address these questions."
>
> But they do not talk directly about OpenVPN, so i am asking here:
> What security implications does the recent attacks on HASH algorithms 
> have for OpenVPN?

The current thinking seems to be:

    MD5 has been hurt very badly by this discovery, and should be phased
    out of active use as quickly as possible.

    SHA-1 is still secure, since the attacks have not yet managed to
    find a weakness on it. Only weaker variants have been successfully
    attacked.

    That said, they are working up to it, so anticipate problems within
    the next few years.

    There is no clear direction on the next hash to move to, so wait
    until the experts recommend a direction, and then move there.


More practically, there is very little risk for day to day use in terms
of OpenVPN.

If your data is important enough that the theoretical weakness in SHA-1
is a risk, you already knew that and have probably spent some of your
multi-million dollar budget on additional security. ;)


Also, as far as I can tell the rate of rekeying in OpenVPN using
certificates would make the current attacks fairly impractical in real
life.


All this advice is, of course, worth what you paid for it.  Remember
that, and make your own call about the implications on your data
security.

Regards,
        Daniel
-- 
Sufficiently advanced cluelessness is indistinguishable from malice.
        -- Bill Seitz


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users