Re: SHA1 weaknesses...

[Matt Johnston <matt%ucc.asn.au@localhost>]

On Thu, Mar 31, 2005 at 03:09:18PM +1200, Peter Gutmann wrote:
> Joseph Galbraith <galb-list%vandyke.com@localhost> writes:
> 
> >In light of recent SHA1 weaknesses, which, if I understand correctly, 
> >may not really effect SSH, but are still worrisome, should we be 
> >looking at introducing a document for using SHA256?
> >
> It doesn't affect its use in either PRFs or HMAC, so SSH is unaffected
> (I've been working on an article for IEEE S&P for this, but it'll 
> probably be awhile before it appears).  There's no need to rush out and 
> change anything because of this, better to wait until we know whether 
> SHA-2 or Whirlpool is the way to go.

Wouldn't lack of collision resistance in SHA1 leave a
vulnerability with using fingerprints of host public keys
for verification?  (mentioned in the -architecture draft).

Of course this isn't a mandatory part of the spec, though
it's common in various implementations.

Matt