In the morning we had a series of interesting papers: "Strengthening Digital Signatures via Randomized Hashing," by Halevi and Krawczyk; "Herding Hash Functions and the Nostradamus Attack," by Kelsey and Kohno; and "Collision-Resistant usage of MD5 and SHA-1 via Message Preprocessing," by Szydlo and Yin. The first and third papers are suggestions for modifying SHA-1 to make it more secure. The second paper discusses some fascinating and cool, but still theoretical, attacks on hash functions.
The last session before lunch was a panel discussion: "SHA-1: Practical Security Implications of Continued Use." The panel stressed that these are collision attacks and not pre-image attacks, and that many protocols simply don't care. Collision attacks are important for digital signatures, but less so for other uses of hash functions. On the other hand, this difference is only understood by cryptographers; there are issues if the public believes that SHA-1 is "broken."
Niels Ferguson pointed out that the big problem is MD5, which is still used everywhere. (Hell, DES is still everywhere.) It takes much longer to upgrade algorithms on the Internet than most people believe; Steve Bellovin says it takes about one year to get the change through the IETF, and another five to seven years to get it depoloyed. And that's after we all figure out which algorithm they should use.
Georg Illies gave a perspective from Germany, where there is a digital-signature law in effect. In addition to the technology, there are legal considerations that make it harder to switch.
The panel seemed to agree that it's still safe to use SHA-1 today, but that we need to start migrating to something better. It's way easier to change algorithms when you're not in the middle of a panic.
There was more talk about algorithm agility. This problem is larger than SHA. Our Internet protocols simply don't have a secure methodology for migrating from one cryptographic algorithm to another.
Bottom line: Don't use SHA-1 for anything new, and start moving away from it as soon as possible. To SHA-256, probably.
And now it's lunchtime.
(Via Schneier on Security.)