-
February 16th, 2005, 05:37 AM
#1
SHA-1 has been broken
SHA-1 has been broken, according to Slashdot.org
Nanolith writes " From Bruce Schneier's weblog: 'SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper announcing their results...'" Note, though, that Scheier also writes "The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team."
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
-
February 18th, 2005, 05:57 AM
#2
Looks like it's time to make the full switch to MD5...
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
February 18th, 2005, 06:00 AM
#3
MD5 was also broken couple months ago. I believe it was by the same group.
- X
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
-
February 18th, 2005, 06:30 AM
#4
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
February 18th, 2005, 08:33 AM
#5
Hi
MD5 indeed was broken by the same group of Xiaoyun Wang[1]. However, they
have shown a collision attack rather than a preimage attack. But still ...
With SHA-1, the same group has shown a method to reduce the computational
effort to produce a collision by more than 10 orders of magnitude. Still, 2^69
operations seem to be necessary - which is far for being computationally feasible.
Future? I am wondering whether a collision for MD5 and SHA-1 with a preimage
attack can be created simultaneously. I assume it is perfectly safe at the moment
to rely on the combination of MD5 and SHA-1 hashes
Cheers.
[1] http://eprint.iacr.org/2004/199.pdf
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
February 19th, 2005, 09:24 PM
#6
More info
More information posted on Slashdot this morning:
"Details are out about the Areported broken SHA-1 hash function. The findings are that SHA-1 is not collision free and can be broken in 2^69 attempts instead of 2^80. This is about 2000 times faster. With todays computing power and Moores Law, a SHA-1 hash does not last too long. Using a modified DES Cracker, for the small sum of up to $38M, SHA-1 can be broken in 56 hours, with current computing power. In 18 months, the cost should go down by half. Jon Callas, PGP's CTO, put it best: 'It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off.' As Schneier suggests, 'It's time for us all to migrate away from SHA-1.' Alternatives include SHA-256 and SHA-512."
Source: http://it.slashdot.org/it/05/02/19/1...id=172&tid=218
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
-
March 16th, 2005, 05:20 PM
#7
Revisited:
Although alarming at first, I have revisited this issue a few times. Since almost everything I use is SHA-1 based. Can anyone say PGP and RSA? What has transpired here is the ability to duplicate the Hash far faster than anyone thought possible by generating and then detecting collisions. SHA-1 is a single component of a system using various techniques to protect data. Why do I bring up this old thread? I think the statement that it has been "broken" is a little over the top, but it IS a problem so what do we do?
The same methods can be used to detect hashes in MD4 by hand and MD5 in a few hours. These do NOT directly lead to a compromise, meaning someone can't just hang off the network and sniff your encryption but they are definitely items that should be addresses as software is upgraded because they could impersonate your applications, which would be a much deeper attack.
There is a new variant of SHA-1 that produces longer hash functions, (mentioned in AO as SHA-256 etc.) in fact the NSA says SHA-1 is fine, but should be phased out by 2010. But the NSA only uses SHA-1 for "unclassified" communications. To date, almost a year after the MD5 collisions were announced and then later the unpublished paper on SHA-1 (built off MD5) there has been very little accomplished. Why? Because it's a big concern but not an immediate threat. Meaning there are other glaring security issues taking up our time. Mostly poorly written application that are infinitely easier to compromise than creating a duplicate hash.
I think it’s safe to say that a personal computer would take a very long time to duplicate a hash so threats are limited to governments and rich corporations at the moment. But using the NSA as a gauge; 2010 isn't that far off considering a quick inventory of what could cause issues in the very near future as the paper is circulated: PGP, RSA, .Net, EVERYTHING MS uses (IIS,SQL,kitchen sink), and our beloved SSL. Using longer SHA-1 hashes only makes the "method" longer in its process. The application of compromise is the same.
Sensationalism aside; so we wait and deploy fixes as they become available through routine maintenance releases?
References:
http://www.answers.com/topic/sha-family
http://www.addict3d.org/index.php?pa...curity&ID=3103
http://www.cs.ucl.ac.uk/staff/I.Brown/nts.htm
http://nsa.gov
Http://nist.gov
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|