[Dnssec-deployment] Starting with SHA1?

Ondřej Surý ondrej.sury at nic.cz
Thu Aug 5 03:59:54 EDT 2010


On 5.8.2010 01:27, Paul Hoffman wrote:
> At 1:12 AM +0200 8/5/10, Ondrej Filip wrote:
>>> I believe, this article could be interesting for you. It was
>>> discovered by one Czech colleague. This was exactly the reason we
>>> made a last minute change from SHA-256 to SHA-512.
>> And here is the link - http://eprint.iacr.org/2010/430
> Maybe you misread the paper. It says "Our attack reduces the
> collision search, from the generic bound of 2^(n/2) to 2^(n/2-k/2)
> number of hash calls, where hashing is done over messages of length
> 2^k blocks." It is unlikely (actually, impossible) that any of your
> DNS records will be 2^256 bits long.

Correct me if I am wrong, but I don't think you need 2^256 messages long 
(n != k).

f.e. if I have a RRSet 2^13 bits long (approx what .CZ has for DNSKEY 
RRSIG now) then the collision search is reduced to 2^(256/2)-(13/2), 
i.e. to 2^122.

And it get's worse for TXT records which can grow bigger, doesn't it?

  Ondřej Surý
  vedoucí výzkumu/Head of R&D department
  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
  Americka 23, 120 00 Praha 2, Czech Republic
  mailto:ondrej.sury at nic.cz    http://nic.cz/
  tel:+420.222745110       fax:+420.222745112

More information about the Dnssec-deployment mailing list