|
|
On 2 Sep 2004, Jon Bendtsen wrote: > http://www.cryptography.com/cnews/hash.html > > "Cryptography Research has received many inquiries about the hash > collision attacks that were recently announced at the CRYPTO 2004 > conference. This document attempts to address these questions." > > But they do not talk directly about OpenVPN, so i am asking here: > What security implications does the recent attacks on HASH algorithms > have for OpenVPN? The current thinking seems to be: MD5 has been hurt very badly by this discovery, and should be phased out of active use as quickly as possible. SHA-1 is still secure, since the attacks have not yet managed to find a weakness on it. Only weaker variants have been successfully attacked. That said, they are working up to it, so anticipate problems within the next few years. There is no clear direction on the next hash to move to, so wait until the experts recommend a direction, and then move there. More practically, there is very little risk for day to day use in terms of OpenVPN. If your data is important enough that the theoretical weakness in SHA-1 is a risk, you already knew that and have probably spent some of your multi-million dollar budget on additional security. ;) Also, as far as I can tell the rate of rekeying in OpenVPN using certificates would make the current attacks fairly impractical in real life. All this advice is, of course, worth what you paid for it. Remember that, and make your own call about the implications on your data security. Regards, Daniel -- Sufficiently advanced cluelessness is indistinguishable from malice. -- Bill Seitz ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |