[olsr-dev] olsrd secure plugin

Jon Andersson (spam-protected)
Thu Feb 24 10:29:00 CET 2005

It should be obvious that a flawed algorithm should not be used, regardless
of the severity at present time.

There are quite a few open domain/BSD licensed implementations of SHA2 out
(e.g. http://fp.gladman.plus.com/cryptography_technology/sha/,
http://rehash.sourceforge.net/ just to mention a few from a quick google)

A careful check of licensing terms is advised though...


>If there's going to be some amount of work done on security, it might be
>worth moving away from SHA-1 entirely as it was broken recently. It's
>not an catastrophic break (at this point it'd still take massive
>computing power to actually take advantage of the flaw, and it's only
>relevant in cases where collisions are a problem, digital signatures for
>example, rather than login passwords) but moving to SHA-256 or SHA-512
>seems to be a wise precaution as the attacks are only going to get
>better, and computing power only ever gets cheaper.
>Brief summary of the situation by John Callas, PGP's CTO: "It's time to
>walk, but not run, to the fire exits. You don't see smoke, but the fire
>alarms have gone off."
>A more detailed analysis by Bruce Schneier, who, unlike me, is actually
>qualified to talk about this stuff, is at
>Andrew Nott
>Thomas Lopatic wrote:
>>> The secure plugin only uses a SHA-1 hash function from openSSL as far
>>> as I
>>> can remember.
>> There's a public domain implementation of SHA-1 by Steve Reid (google
>> for his name and "SHA-1". So, I'd like to suggest that we completely
>> eliminate any external dependencies by including Steve's code in the
>> plugin.
>> -Thomas
>> _______________________________________________
>> olsr-dev mailing list
>> (spam-protected)
>> https://www.olsr.org/mailman/listinfo/olsr-dev
>olsr-dev mailing list

More information about the Olsr-dev mailing list