[Standards] SHA-1 use in XMPP

Dave Cridland dave at cridland.net
Thu Jun 22 16:13:08 UTC 2017


On 22 June 2017 at 16:20, Evgeny Khramtsov <xramtsov at gmail.com> wrote:
> Fri, 16 Jun 2017 13:33:55 +0100
> Dave Cridland <dave at cridland.net> wrote:
>
>> On 16 June 2017 at 13:02, Jonas Wielicki <jonas at wielicki.name> wrote:
>> > Is the collision thing an actual problem for SCRAM? (Not saying
>> > that we should not upgrade soon-ish, but still.)
>> >
>>
>> Assuming that one could extract the SCRAM hashes while they're still
>> valid, yes. XMPP lacks a way to require a password change (though I
>> intend getting that into SASL2), so there's not much mitigation here.
>
> How that? You need a preimage attack which doesn't exist even for MD5
> (ok, there exist some attacks, but not much better than brute force).

Well, MD5 is brute-forceable now - you can clock up a lot of them per
second on a stolen AWS account.

The advice I'm hearing is that SHA-1 will be in range within a couple
of years at the current rate of weakening.

Dave.


More information about the Standards mailing list