[olsr-dev] olsrd secure plugin
Andrew Nott
(spam-protected)
Thu Feb 24 08:51:20 CET 2005
If there's going to be some amount of work done on security, it might be
worth moving away from SHA-1 entirely as it was broken recently. It's
not an catastrophic break (at this point it'd still take massive
computing power to actually take advantage of the flaw, and it's only
relevant in cases where collisions are a problem, digital signatures for
example, rather than login passwords) but moving to SHA-256 or SHA-512
seems to be a wise precaution as the attacks are only going to get
better, and computing power only ever gets cheaper.
Brief summary of the situation by John Callas, PGP's CTO: "It's time to
walk, but not run, to the fire exits. You don't see smoke, but the fire
alarms have gone off."
A more detailed analysis by Bruce Schneier, who, unlike me, is actually
qualified to talk about this stuff, is at
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
Andrew Nott
Thomas Lopatic wrote:
>> The secure plugin only uses a SHA-1 hash function from openSSL as far
>> as I
>> can remember.
>
>
> There's a public domain implementation of SHA-1 by Steve Reid (google
> for his name and "SHA-1". So, I'd like to suggest that we completely
> eliminate any external dependencies by including Steve's code in the
> plugin.
>
> -Thomas
>
>
> _______________________________________________
> olsr-dev mailing list
> (spam-protected)
> https://www.olsr.org/mailman/listinfo/olsr-dev
>
>
More information about the Olsr-dev
mailing list