[olsr-dev] olsrd secure plugin

[Jon Andersson]

It should be obvious that a flawed algorithm should not be used, regardless
of the severity at present time.

There are quite a few open domain/BSD licensed implementations of SHA2 out
there.
(e.g. http://fp.gladman.plus.com/cryptography_technology/sha/,
http://rehash.sourceforge.net/ just to mention a few from a quick google)


A careful check of licensing terms is advised though...

Jon

>
>If there's going to be some amount of work done on security, it might be
>worth moving away from SHA-1 entirely as it was broken recently. It's
>not an catastrophic break (at this point it'd still take massive
>computing power to actually take advantage of the flaw, and it's only
>relevant in cases where collisions are a problem, digital signatures for
>example, rather than login passwords) but moving to SHA-256 or SHA-512
>seems to be a wise precaution as the attacks are only going to get
>better, and computing power only ever gets cheaper.
>
>Brief summary of the situation by John Callas, PGP's CTO: "It's time to
>walk, but not run, to the fire exits. You don't see smoke, but the fire
>alarms have gone off."
>
>A more detailed analysis by Bruce Schneier, who, unlike me, is actually
>qualified to talk about this stuff, is at
>http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
>
>Andrew Nott
>
>Thomas Lopatic wrote:
>>> The secure plugin only uses a SHA-1 hash function from openSSL as far
>>> as I
>>> can remember.
>>
>>
>> There's a public domain implementation of SHA-1 by Steve Reid (google
>> for his name and "SHA-1". So, I'd like to suggest that we completely
>> eliminate any external dependencies by including Steve's code in the
>> plugin.
>>
>> -Thomas
>>
>>
>> _______________________________________________
>> olsr-dev mailing list
>> (spam-protected)
>> https://www.olsr.org/mailman/listinfo/olsr-dev
>>
>>
>_______________________________________________
>olsr-dev mailing list
>(spam-protected)
>https://www.olsr.org/mailman/listinfo/olsr-dev
>
>