Slashdot Mirror
SHA-1 Broken
Nanolith writes "From Bruce Schneier's weblog: 'SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper announcing their results...'" Note, though, that Schneier also writes "The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team."
And I just got done upgrading from MD5.
For those interested, here is the actual detailed/lengthy FIPS PUB 180-1 from NIST, as typical, Wikipedia has a nice summary, and the W3 Folks have a short snippet ...
So... anyone care to explain exactly what SHA-1 is?
the world is ending!
Had to happen, didn't it?
No algorithm is all-powerful - it only withstands attacks for so long.
The strength of the algorithm lies in how long it can stand up - to attacks and to future technologies.
It is when Bruce Schneir says so.
I'm not sure if this post is news or what, but for more info, click here:
http://www.itl.nist.gov/fipspubs/fip180-1.htm
I've now got to go recode many many applications. We've been scrooged folks! My comment starts with Oh and ends with a word very similar to fsck.
But I still won't believe it till Netcraft confirms it!
A lot of companies and products use SHA1 in some form or another. Does this mean that we can arrest and imprison these "researchers" if they ever step foot in America?
Time to change the VPN policies
... to SHA-2!
Yes.
Look at the source.
If you don't switch to the newest, latest hashing algorithm, you will die horribly when your corrupted emacs RPM performs malicious code!!! Everyone, delete everything and log off of the Internets now!!! We're all gonna die!!! HELP!!!
"Anyone who attempts to generate random numbers by deterministic means is living in a state of sin." -- John von Neumann
Same group of people that found the MD5 Hash Collision. Self references and the MD5 paper.
Steal This Sig
This may be a big deal, because if I understand correctly, SHA-1 is a similiar algorithm to MD5, which is commonly used to uniquely identify files. If that could be cracked using a similiar technique, a better method of hashing files may have to be found.
thisnukes4u.net
/me /me wishes security were easier
Log into VPN Firewall
Check VPN settings
Notices SHA for authentication type
Swears
Checks other option, notices {none} and {md5}
scratches head
decides to go with MD5 until that too is broken
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
With SHA-1 being MD5's replacement after that was broken, which hash function do we use now?
boldly going forward, 'cause we can't find reverse
Another reason to avoid IPsec and WEP.
Is there a self-boot disc on non-modded xbox's in our near furture?
. ht ml
http://www.xbox-linux.org/docs/projectboverview
Until Netcraft confirms it.
wait a sec....no MD5 and no SHA-1. what is going to take the place of those things? something like anubis or whirlpool?
maybe more people will use GPG now!
Keep the faith, share the code
SHA-1 Hash Algorithm and Source Code.
Creative Demolition
Why is it they found a hash collision in, but could not break, MD5; but have apparently broken SHA-1? This could just be due to a quirk of the respective algorithms, but it could also mean that the nature of their SHA-1 paper purported by the weblogs is mistaken.
...at least we still have SHA256, SHA384 and SHA512.
That said...PWN3D!!1!
You can hold down the "B" button for continuous firing.
Long live ROT-13.
Maybe crackers would stop messing with our encryption if it was extremely easy to deal with.
SupahLeetCodah: d00d i just cracked SHA-1 and MD5,6 AND 7!!!1
Steve: So did my grandma and my proctologist.
ItWasFree.com - Take the mystery
Is it time to update bittorrent?
How hard is it going to be for people to provide garbage data with correct SHA-1 hashes to screw up downloads?
Rats would be more funny if they could fart.
The hashing is done by mathematic operations, so I'm sure something like SHA can be "cracked" almost (almost because they're just hashes and not full files) like solving an equation, right?
You can hold down the "B" button for continuous firing.
We (possibly? probably?) can't trust MD5 anymore, and now SHA-1 might have fallen. Does anyone know whether their exploits are overlapping? If not, can we reasonably move to H(x)=MD5(SHA-1(x))? Are there any other good hash algorithms working their way through the pipeline?
Dewey, what part of this looks like authorities should be involved?
Too bad Digital Fortress does not really exist.
I just finished compiling it an hour ago, and then I see this announcement on Slashdot! This always happens.
One collision in 2**69 operations... that's quite minimal...
Sure, for signatures, it means that you can't trust the algorithm 100% anymore.
But for storing passwords, and other operations where collisions are not important, it doesn't matter much, even if there's another password that can generate the same hash, you still need to brute-force it.
It's the end of the world as we know it...I can already feel the foundations of civilisation crumbling beneath me.
there's rumors on the uh, Internets that we're going to get owned with this SHA1 thingy. (Forgive me, I'm from the Bronx.)
You can hold down the "B" button for continuous firing.
Doest not affect HMAC. So it does not affect IPSEC and WEP.
RTFA.
I'm not a cryptographer, just a nerdy engineer, but let me explain my rationale: a hash algorithm takes an arbitrary message and generates a fixed-length signature that has a high probability (10**50 or better for most modern algorithms) of being the original.
Let's assume that your hash algorithm generates a 128-bit hash. Anyone who knows anything about probability can see that is the original message is greater than 128 bits, there MUST be more than one message that will generate the same hash. For long messages, there may be thousands or millions of messages out of a filed of 10**50 (or better) that have the same hash, although many of them will be meaningless garbage.
So SHA-1 has been broken by a group of cryptographers/mathematicians. Does this really mean that they can generate can alter any message in a way that will generate the same hash as the original, thus fooling the math that we use to validate content? No Way! I read Bruce Scheier's Cryptogram every month and he often makes the same argument.
So yes, this means that from a long-term systems security standpoint, we should all move to stronger hashes. Does it mean that SHA-1-based transactions are inherently secure right now?
I think not!
The only problem is that I can't show you the paper or demonstrate it for you. OH yeah, I also have a lottery drawing app that'll give you the powerball numbers for Friday...
oops I accidentally highlighted 'fucking' from your post instead and searched for that
I am outraged! Does this disgusting thing called 'fucking' really happen ? I must know.
A marketing guy has a bright idea:
"Hey Bob, I was in the airport the other day and these two geeks were talking all about SHA-1. Said they read about it on Slashdot, and a Chinese research team was spending an awful lot of time working on it. We should definitely put this SHA-1, whatever it is, into the next release of our products. Send a memo to the development managers, and call our guy over at Gartner."
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Is SHA-1 used in x509 digital certificates, and if so does this mean that people can forge digital certificates ?
If someone can do this, then what are the liability concerns for certificate issuers (or even their customers) ?
md5 has already been broken.
From what I understand, then, the concern is that attackers can craft a message that will hash to the same value, and then attempt to claim that the crafted message was signed by the signer in question, but in fact it was not.
Could someone please explain scenarios where a flaw, such as the one illustrated in this article, could be used to actually craft an attack. What would be a realistic scenario where one would need to be concerned with this flaw?
Eshcuse me shonny, d'you know where I can find shome booty^H^H^H^H^Hshource code?
You can hold down the "B" button for continuous firing.
If this definite break is confirmed, I think we will need to conclude that the entire family is suspect for any genuinely important purpose.
There are a bunch of hashing algorithms on the Hashing Function Lounge that are listed as having no known attacks. At present, the most widespread is Whirlpool. I think it likely that one of these will replace SHA as the hashing function of choice in major cryptographic areas.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
No, that would be one application of a hash (and not a very good one, because someone wanting to mess with it enroute could just re-hash the doctored version and pass on the new hash. What you discribe could be a way to check for accidental errors, though.). A hash is a function that given data gives a smaller amount of data. This smaller amount of data is then also called the hash of the origonal data. A good hash function has the property that if you know the hash for a file, you shouldn't be able to come up with another file that has the same hash without a prohibitive amount of work. A hash function is broken if this property stops holding.
This post written under Gentoo-linux with an SCO IP license.
It's not like MD5 is Any Better
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
From someone who is not at all involved with encryption: who's Bruce Schneir?
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
Finding a single collision after a huge search isn't the same as being able to generate a collision on demand, which is what the SHA-1 breakage apparently purports to be.
xbox uses sha-1, does it mean u won't need modchips?
discover Charamel, the best firefox theme around. http://members.shaw.ca/lucx/
Bruce sits at his desk, reading over the encrypted e-mail sent to him about breaking SHA-1, when a loud scream echoes from his office
I JUST SENT OUT MY NEWSLETTER THIS MORNING!
Slackware, what else when it must be secure, stable, and easy?
Yeah, I did RTFA, and the first comment echoes my thoughts: what about the extended-round variations on SHA-1, with the 256, 384, etc.-large rounds? Does the attack on SHA-1 also apply to these variations?
OTOH, this attack indicates that other types of attacks may be found sooner than was previously thought. So it is still a good idea to move away from SHA-1 in the medium to long term. Though it's not entirely clear what you should move to. And it is not certain that more attacks will be found soon.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
Fucking Google It
I think that alot of us are wondering right now.. how long has the Chinese government known about this? (and how long as the NSA known)
i dont understand when people say that a hash algorithm has been broken.... suppose u hash a data object worth 4 MB to obtain a 160 bit hash, then does have cracked the algo means u can "get" back the original data. ofcourse not!!! otherwise you have just achieved super compression.
~~bada bing, bada bang, bada bong and voila~~
You're all reading into it and assuming it wouldn't be encrypted with a public key a la PKE/PKI.
Remember, its just a simplified explanation of how one can use a hash (with data Integrity as an example).
"On a scale from 1 to 10, people are stupid"
I love how you link that like you're mister high and mighty and you don't spell his name in the link right. I didn't either, but I have ethos. I'd never heard of him before. =)
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
2^69 hashes would constitute a 'huge search' in my book. I guess it doesn't in yours; or you didn't RTFA :)
Bruce Schneier is the motherfucking man.
Uh, it still requires 269 operations. But I can't seem to find out how that compares to MD5 breakage.
www.timcoleman.com is a total waste of your time. Never go there.
The MD5 crack team....
http://www.md5crk.com/ (wayback archive)
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
"The copy prevention system of Microsoft's Xbox game console relies on the security of SHA-1." -- The all knowing Wikipedia
Maybe now we can crack some XBox stuff and run homebrew code on a homeburned dvd (dual-layer, of course.) Please correct me if I don't understand something. I thought M$ used RSA or something to encrypt their games and used SHA-1 signatures as checkpoints?
Illegal? Samir, This is America.
Does anyone actually use md5 or sha-1 for anything worth protecting?
;)
Seriously... I don't even use them for hashing my passwords any more. Now it's BFS (blowfish) and AES.
About all I trust md5's and sha-1 for are CRC type checks.
Just my two cents... maybe I'm just snobby about my hashes
/dev/random
Clinton signed a bill that ceased the definition of cryptographic algorithms as munitions. Now there is no strength requirements, checking by the NSA, nothing. Like since 96.
Where've you been?
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
That's supposed to be 2^69. Now, 269 -- that would be a story!
www.timcoleman.com is a total waste of your time. Never go there.
I have barely any cryptography knowledge, but would the SHA series be any safer if the size of the data was part of the signature? From glancing over Bruce's post (and remembering how MD5 and others were broken), data has to be padded. You can't just change arbitrary bits and produce the same signature. So, couldn't you just add the size of the file to the signature? Does that decrease security, because the size is now known?
So even if the SHA-1 family is flawed for the reason given in the article, all is not lost since they just reduced the work by a couple of orders of magnitude. If you go to 256 bit or 512 bit hashes, you're definitively going to be safe for much, much longer (since even if the given attack works twice as good for 512 bits, you would need many more centuries to try out the same percentage of the keyspace).
However, the real problem is that todays OpenSSL and libgcrypt (gnupg) libraries don't even have support for SHA-2 (I just tried to find it). So it will actually take quite a while before this can be adopted. And that's the real problem.
I just want to say "What's UP?" All of this NONSENSE that popped up a while ago about MD5 being "harmful some day" is really PALE in comparison to "SHA-1 has a theoretical attack" let alone "SHA-1 has been broken." I want to give proper acknowledgement for all of the people who try really hard to stay in the ACTUAL world.
--- Nothing clever here: move along now...
It sounds like it may be possible for someone with a few weeks use of a supercomputer and the will to spend the corresponding thousands of dollars on computing power may be able to generate a file with a SHA-1 collision of the file you're downloading
How hard will it be for the MPAA to sweet-talk the National Security Agency into believing that copyright enforcement is a national security issue and letting the studios use the NSA's crypto cluster?
Is anyone really surprised by this? In the long run I don't think there is a hash algorithm (or crypto algorithm for that mater) in existence that will not be broken, either by increased computational complexity or some mathematical flaw.
The thing I use these hash algorithms for the most is generating unique ID's without having to think about it too much. I don't believe I am alone either; I don't do a lot of cryptography. Still, I'd like to have a better understanding of the properties of each algorithm, and the class of activities it is good for. A chart along these lines would be neat: "algorithms good for file verification", "algorithms good for password hashing", " algorithms good for higher security needs".
If we start to think of hash algorithms in terms of functional classes, it will be easier to develop drop-in replacements for each of them (something we will need as algorithms keep getting bumped off of the "acceptable" list).
...En að Besta Sem Guð Hefur Skapað Er Nýr Dagur
Check this article: Federal agencies have been put on notice that National Institute of Standards and Technology officials plan to phase out a widely used cryptographic hash function known as SHA-1 in favor of larger and stronger hash functions such as SHA-256 and SHA-512.
Your sig is a wild unsourced lie.
Shouldn't it be renamed IHA (insecure hashing algorithm) or maybe NQSSNIIHA (not quite so secure now, is it? hashing algorithm.)
Fiid - Ryhmes with Squid. Software Engineer
I reazlized it was wrong (I checked to make sure the link worked before posting it), but I wanted to show you that a simple search would have gotten you the correct spelling and the info you wanted. When I tell people to "fucking google it" I make the search something logical that they could ahve done themselves. That was the search that you would have (could have) done.
And I dont do it to be high and mighty, but semi-comical and informative at the same time. Don't take that link the wrong way, it's just a way to give the person the info while making a bit of a point at the same time.
BTW:
Disabled US vets 10 yrs after Viet Nam: 10%
12 yrs after Gulf War: 89%
Stop uranium inhalation poisoning!
What exactly is your source on this? According to an anti-military news source quoting the DoVA:
Of the 504,047 eligible for VA benefits, 149,094 (29%) are now considered disabled by the VA eleven years since the start of the Gulf War; and...
29% is a big number, but 29% != 89% last time I checked. Also, there are many other explanations other than uranium dust, like chemical weapons in theatre. But I don't think facts probably matter very much to you.
Applications that would be broken by this are long-lived cryptographic signatures. Indeed, when a document is "signed", usually only a hash of the document is signed. Finding collisions means one can find two different documents with the same signature.
This affects all applications using SHA-1 for signature, that is signed email (whether PKIX or PGP), server certificates (which are signed documents). This should be mitigated by the fact that in order to be really usable in some cases, the collision must also be meaningful. That is if you find a collision to a signed email but if it is meaningless, you won't really be able to use it to spoof an email. It depends on the attack quality whether collisions are "meaningful" or not.
Some applications that should not be broken are the use of SHA-1 for key derivation, i.e. where one uses SHA-1 essentially as the basis of a random function to generate deterministic new keys from a pre-shared key. (I think that's what Schneier meant by HMAC applications.)
Also, some short-lived signatures should still not be realistically breakable in the time that they would need to be for an attack to be successful; short-lived signatures are typically used in protocols such as IPsec or SSL for authentication. Additionally, to mount an attack on some of these protocols an attacker would need to generate a collision involving "unpredictable" data coming from another party, which the attack may or may not allow.
... it looks to me the only solution is wipe Jinan city off the map.
Now where did I leave my nukes....
huuuh?
I haven't a response as generic in awhile. I guess thinking about things hurts.
Transcend Humanity. Please.
We need some sort of digital signature...
D'OH!
Which of course is available for that ever so wonderfully secure os called OpenBSD ;-)
Q: Which hash function do we use now?
A: rot13. Not only is it easy to implement, it can be mathematically proven to be collision-free.
V guvax lbh zrnag, "Gunax Tbq EBG-13 jvyy arire or penpxrq."
i'm a little confussed - how can there not be a collision when there are 256^(as big as your hard drive can hold) possible inputs and only 2^160 (or 2^64?) possible outputs? by the pigeonhole principal, there'd have to be atleast one collision since, at 21+ bytes, there are more possible inputs than there are outputs.
Prankster: Is your SHA-1 broken?
Techie: Yes.
Prankster: You better fix it, then.
Why is more important the announcement than the actual data? Why make such a fuzz about it when they don't have any proofs? They should hold the announcement until they can provide people the two blocks of data that share the SHA1 sum.
Federal agencies were recently told to start switching to SHA-256 or SHA-512. Here's an article detailing this that just came out a week ago.
However the term "broken" is a pretty questionable term - the paper apparently details a method of breaking SHA-1 using brute force in only 2^69 operations, versus the theoretical strength of 2^80. It's a hell of lot fewer operations, but it's still pretty high on the strength scale.
Maybe his sense of humour fell through a one-way hash function some time back, but it's pretty clear from context that he's kidding.
--MarkusQ
Now I know why my site doesn't work anymore. SHA-1 is broken. Digest::SHA1 won't produce any hashes for me anymore, and I tried to debug the issue but couldn't work out what was going on. Thanks for letting us know SHA-1 is broken Slashdot. I wonder when it will be fixed?
Realistically, if I gave any of you people a .txt file encrypted with DES and said that if you can crack it in 3 months I'll give you $15k.. would you be able to? I rather doubt it.
2^69 is still a plenty big number for me. I'll worry in a few years when CPUs are faster
It never fails to crack me up how people freak out about theoretical weaknesses in cryptography but have $25 locks on their homes that any crook with a fork and a nail could open.... and steal your computer if not axe you to bits.
but, but.. SHA-2 will save me!!
CommentBot 0.7a running with args "-module irritate,disagree -target random"
http://shit.slashdot.org/article.pl?sid=05/02/16/0 146218
Damn, I'll have to convert to ROT-15 minus 2 now, just to throw 'em off the scent.
You can allways use two hashes. Hash the stream once with SHA1-384 then Hash it with MD5. The chances of a double collision are nill.
is that it's considered a munition if it's designed for military use. An expert review panel is supposed to make that decision. And this is only if the Secretary of Commerce or the DOJ say something.
:-)
Which they haven't... so... don't worry about.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
which was much more restrictive and is why stuff like netscape and IE only had 48-bit encryption for awhile. But that was mid-90s. That distinction went away when the version 4s came out, remember?
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
The article says that 2**69 hash operations are needed to find a collision. If you have a SuperHashOMatic that can do 1 Billion hashing operations per second, thats still an average time of about 18700 years.
In order for the time to be something to be concerned about (~10 years), you would need a machine capable of doing 1.87e12 hashing operations per second. Thats 1.87 TRILLION hashing operations per second.
Ah, but what about distributed computing?
Let's assume that there are 1 billion desktop computers working on this project. Then they must be able to do 1870 hashing operations per second. This is a ridiculously large number for today's implementations (mine gets 100 per second, most could do about twice that).
So is it bad? Somewhat. Further breaks could make it worse.
We should move away from SHA-1. But this isn't not the end of the world.
I think security is only a matter of how long, or better, how much energy, the attacker has to take to break the system.
As far as I know, if I hash a password with MD5 or SHA-1 (or both, why not compare both hashes), I really must have major critical data if these methods are not "secure" enough for it...
As already mentioned, this only big issue is for digital signatures, but I could even say: if you can find a colision by generating two valid documents (can open in a reader - PDF for example), you deserve and I could even accept the fact you cracked the signature.
* Hey, it tooks me only nine years to crack the signature you applied to the email you sent me doesn't make sense for me.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I just tried it and got "dsfhlsagfd". I guess this means it's pretty secure!
The roots of education are bitter, but the fruit is sweet.
--Aristotle
Note that what cryptographers consider a "break" is not necessarily the same as what users consider a break. (Neither is more strict, they are just different criteria for different people).
In this case, the researchers from Shandong University (supposedly) reduced the work required to find a collision from 2**80 to 2**69; this is a major cryptographic result. It is major because SHA-1, as a "cryptographically strong hash", is not supposed to have any attacks better then random. A factor of 2**11 reduction shows SHA-1 to be very far from ideal; and since lots of clever people have tried to show this, the research team should be proud.
Does this mean the bad-guy-of-your-choice can now start forging digital contracts? Not yet - there is no guarantee that the collision will be meaningful (as least their earlier papers didn't show that result). For a forgery to be useful, the forger needs to make the fake message say something useful - may be change the $1 to $1 million, or change the name, or something. A collision at a random place (or a non-sensical string) is essentially useless as a forgery (there may be some interested DOS attacks, but I am talking about outright forgery which is the point of the hash functions).
And lastly, 2**69 (roughly 10**21) is still a big number! Assume that some clever people wrote a super-duper hand-optimized code that does a whole SHA-1 in a micro-second on a late model 4 Ghz PC, that is 10**6 hashes/sec. A grad-student using all the PC's on a campus, say ten thousand, that's another 10**4. This would take 10**11 seconds (or roughly 20K years). Note that for SHA-0, their break is 2**39 operations, which *is* practical - it would take the grad student only a minute, or a single PC a week.
This break is yet *practical* for *most* people. (Would I still use SHA-1? Not in new application, and I make sure that existing applications get changed over eventually.)
Lest I be accused of ignoring the big boys, the equation changes for them. If a Three Letter Agency is willing to invest a lot of money and design some cool chips that has awsome parallelism and everything, then each break may take only a week. For example, assume these chips has a bunch of pipes that can do a hash every nano-second (or 10**9 hash/second). Further, say there are 100 of these pipes per chip, 100 chips per board, 100 board per rack (or 10**6 pipes/rack). Each rack can then do 10**15 hash/sec, With such a magical rack, it would take 10**6 seconds (or just under two weeks) to find a collision. This would cost Some Real Dollars, but is it within the budget of some three letter agency? You bet. Hack, I would be willing to sell you one for under a billion dollar US. On the other hand, for that kind of money, cryptanalysis takes on different textures - why spend a billion to crack SHA-1 when you can buy the right wet-ware unit for a million?
The problem with using SHA-1 for IDs is that you have a (very minimal) chance of collision: two users could have the same ID.
To get around this, append the time as a hexstring to the hash.
In php:
$id=$hash.dechex(time());
This way, you would need to get a collision at the exact same second of creation of the ID, which is nearly impossible.
.... So these hashes are still good for uniqueness out to 2^32 size fingerprints?
What's the best hash for file fingerprinting, for stuff like version databases, tripwire, etc?
It's gone from being a billion times easier, to a half a billion times easier, to just simply find the person responsible and beat any necessary data out of them with a baseball bat and/or knife. Which is cheaper? Extensive studying of cryptography, thousands of dollars of computers, and an extremely long waiting time in order to brute-force something? Or just buying plane tickets, a blunt object, looking up the person's address on MapQuest, and having Cousin Luigi pay a friendly visit?
Parent poster is an IDIOT. And you mods, who dont read RTFA, or even the SUMMARY, are even WORSE... you are pathetic sheep and I pity your pointless existence.
Parent is trying to be funny, dammit.
It's flamebait if they're trying to get flamed. They're trying to amuse.
It's only an insult if it's not true.
Wild yes, but the source is here and it's apparently not a lie.
My understanding is that with MD5 they had found collisions but had not found a collision function. That is, they found values which collide with one another, but they don't have a procedure that can take in some arbitrary value X and return a collision Y.
Is there something I misunderstand, either about the nature of what these people found, or about what it means to have found a collision in a hash function?
If you get to specify your own algorithm for creating an id, why not just specify a monotonically increasing number? (user number 1, 2, 3, ..., 18663, ...)
(or reviewed April ...two months from now
depending on implementation date vs announcement date?)
What someone really ought to do is use ROT-7.5 twice to decrypt ROT-13.
Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
For example, if my password is "foobar", then the server does not store "8843d7f92416211de9ebb963ff4ce28125932878" as the hash, but perhaps the hash of "foobarDKTUHRAOHL" or "19747e26b86ee7939c046c0171a991926f0e01ae". The salt value "DKTUHRAOHL" is stored on the server and never revealed to anyone. So, even if somebody knows the hash value "19747...e01ae", they cannot come up with another string of characters that hashes to the same value, because even if they could, the value they enter in an attempt to hack my account is appended with "DKTUHRAOHL", rendering (almost certainly) a different hash value.
Now, if they know the salt value, the problem becomes equivalent to finding a string ending with "DKTUHRAOHL" that hashes to "19747...e01ae." However, if someone has gained access to a properly secured server's salt values, you have a large problem on your hands indeed.
Having said that, it is very hard to explain how the contamination of Basrah occured, because almost all the time during and after the 1991 battles when uranium was being released, the prevailing winds would have been blowing them away from the city. Some people have suggested some kind of food-chain contamination, relating to either goats or birds.
There is a collection of peer-reviewed medical research on the subject here.(This is not meant as a comment on the security of HMAC-SHA-1.)
plznofeedingtrollskthxbye
Because it may be possible to exploit weaknesses based on the number. (For the same reason, the use of sequential numbers for TCP Sequences and Process IDs is discouraged in secure OS'.) It is generally considered better, from a security standpoint, to not have anything predictable by a potential attacker.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
A simple chart, mapping functions to, well, function, would be relatively easy and inexpensive on time and effort.
A much more arduous version would be to have a "league" table, where each league represents a class of activity. Each function could then be scored according to the attacks relevent to that activity that it survived or failed.
This would allow you to compare all functions for any given activity, even if some/all of those functions failed to measure up in other activities. It would also allow for a representation of the magnitude of a failure. Is a failure theoretical? Problematic under limited conditions? Or an absolute all-out disaster?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
When are they gonna fix it?
Do not read this sig!
Damn, just stumbled through the paper on Whirlpool - wow, that is very nice. Downloaded the ref code already and will have a few evenings of digging through new code; always a good time ... well, some of the time anyway (perl, i'm looking at you, sweetie).
.... nags at me you see. They have a very real, very serious intrest in having the most secure, assured, and proofable encryption/hashing/etc algos in the world. Great for them, i'd just like to stick to something from someone else for now ... in case our views of 'private' and 'no-longer-private-for-citizens' begin to differ.
Anyway, you guys should check that paper out: This is a link to their page. Good stuff.
Something else that's nagging me about SHA-1 (and the other SHA family members). Call me paranoid or whatever you like, but we all know the NSA has had the best hardware on the planet for a long time, probably more than just a few razor sharp minds come through (money does talk from time to time), and well, it just does sit plausible with me that a 'perfect' hashing algorithm (or any other for that matter) would be released to the public by the NSA. Let 'em have this flawed one, see what they do with it, can they can break it, see if they break it, if they do, release the next in line of closer-but-not-the-real-deal algos. Just
Yep. This ain't no group of crackpots nobody's ever heard of. I would be shocked if they didn't do what they said they did.
In my opinion, a "real world" attack would be one which given a blob which has already been hashed, would come up with another blob which results in the same hash. To my knowledge, nobody has any useful attacks in that direction yet, although some would argue based upon this research that it may just be a matter of time.
Then we of course need to get into whether that is really useful either. If I find out that and results in the same hash, how helpful is that to me? How is a lawyer is going to prove to a jury that I may have actually signed the garbage instead of the purchase agreement? So, there is even more work to be done to make it a useful real world attack, wherein you might take the original signed text (modified for your evil purposes), append a null character, and then add garbage until the hashes are equal--and hope the UI was poorly written and just displays up to the first null.
Check out our infosecurity industry blog: http://securitymusings.com/
The restrictions on crypto export were relaxed in early 2000
In general, we can say that there are infinitely fewer hashes than there are possible data objects you may wish to hash, and therefore there are infinitely many collisions. We can also say that for an N bit hash, at least one collision must occur over a range of (2^N)+1 values for the initial data object.
However, if the collisions occur on a totally cyclic basis, it doesn't matter if there's only ever one within that range. You know where it is, without the bother of looking.
Therefore, the strength of a hash can be measured as a function of two properties:
Bit operations have tended to be used, because they're fast and they allow some control over these two parameters. Other than that, there is no particular merit in using them.
Cellular automata can produce some excellent one-way functions. Their behaviour can also be far harder to predict, if the algorithm is good. However, they are computationally very expensive and getting a usefully strong algorithm is much harder than with bit manipulations.
Transforms are not generally considered one-way, because 99.9% of the time they are only useful because they are two-way. I've not really looked into how transform operations are used in hashes, but they presumably have some strengths.
(Transforms in cryptography, where you want to go from one domain to another and then back again, would make sense. They would also be useful for encryption modes, for generating the new encryption key for the next block.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It is interesting to notice that on gnupg, if you are using DSA keys, you can't use SHA-2 hashes (SHA256+).
So, your best options are still SHA-1 and RIPEMD160.
Or revoking your DSA key and making a new RSA key. That way, you can use up to SHA512 hashes.
morcego
I said *append* the time to the SHA1.
;-)
Before:
hash + zero-lenght string
After:
hash + sequential number
Sequential number is less predictable than the zero-length string
I read on one site - in answer to the question "What's the big deal - is 2**69 really all that bad?"
That's 2**11 less operations. Let's say breaking this (2**69 ops) takes the NSA a week. If it had been 2**80, it would have taken 2048 weeks, or 39 years. If it would have taken the NSA (or whomever) a year to break SHA-1 before, it could be broken in 4 hours.
My guess would be it would still take a lot longer than a week - but would now be in the realm of possibility, whereas before it would have been in the lifetime(s) range. However, this is totally a wild-assed-guess, based on the assumption that it was expected to take 100+ years before this to crack.
This sig donated to Pater. Long live
What one-way hash algo should we use instead?? I think I'll wait for the NSA to recommend another.
Authority questions you. Return the favor.
How does decimal keep creeping into these nice binary number discussions? Maybe use hexadecimal if you really need to.
Transcend Humanity. Please.
haha you been pWnd by Chinese! Again!
This message has been hacked by the Chinese!
Same researchers announced some vulnerabilities in MD5 and SHA-1:
f p;512;fpid;710205681
3 8
See:
http://www.arnnet.com.au/index.php/id;1503863220;
Researchers have discovered a flaw in the MD5 algorithm that is used to provide a unique signature for data.
Xiaoyun Wang, a Chinese expert, and three colleagues have discovered the flaw in the hash function algorithm, which is used in applications, such as EMC's Centera content-addressable file store. The flaw was revealed at the Crypto 2004 conference.
Also:
http://www.rsasecurity.com/rsalabs/node.asp?id=27
* The hash function collisions recently discovered have minimal practical impact at this time due to the limitations discussed further. It is not clear that these research results can be turned into practical exploits on most typical uses of these hash functions, so there is no immediate need to replace hash algorithms.
* As a precaution, applications using a legacy hash function described as vulnerable should upgrade to the NIST-approved SHA1 or SHA2 family of algorithms (RSA Laboratories suggested a migration to SHA1 in 1996).
* Applications using SHA1 do not appear to be at risk, but conservatively, developers may also consider planning an upgrade to the SHA2 family in the next few years.
information wants to be free!!!
So basically, you're completely failed to substatiate 89% or its connection to DU. (Your own number above is 56%; again, I think it is inaccurate, but you appear to be coming off the 89% number..) Anyways, whether 56% is true or not, 56%!=89%, also.
Incidentally, 12-18% of people 18-64 have some form of disability according to the 2000 US census. 29% is really not that much more than 18%, especially when mental/anxiety/PTSD effects are considered.
I am not a cryptographer but shouldn't it be possible to use MD5 and SHA-1 for the same piece of text together. How likely is the hash sum for a particular text to be cracked for both the algos and have the same modified text. Will it make it a bit more tougher to be cracked?
518,739, the figure from late 2004, is 89%.
Compare that slope to Basrah's birth defect incidence graph from the table in this report.
Hashes have nothing to do with privacy.
You can stop your racist fear-mongering now.
Now that your law suit has ended, how about releasing your cryptography lecture material in the internet?
What you have to figure is that with any hash thats shorter than the max amount of data, then the possibility of collisions will occur;
figure that if you could represent every possible combination in 128 bits, you would never need to have 129 bits of data.
Because this is not true all hashes will have collisions. However the chances of multiple hashes all having collisions with altered data is 'pretty damn slim'. So therefore the best solution, most likely in the future, and presently is to authenticate messages, identification (ala ssl certificates**) and binaries with multiple hashs known to be reasonably strong. One doesnt need to be a cryptologist to realize that using something like md5, sha256 and like ripemd160, the chances of collision in all 3 hashes are quite slim, and within the range of acceptable risk.
A better idea is to use UUIDs, where these problems have already been considered, and systematically handled. On Linux, just read from /proc/sys/kernel/random/uuid.
as long as they show the results, it can be verified.
in theory, given a hash number, it takes centuries to find the collision.
given the hash number, if you could come up with a collision in days or even in months on your PC. that means you break the code.
in order to believe it is broken, you don't need to know the details of the alorithm.
More than 6 months ago, papers were going around telling people to 1. Stop using MD5 as a secure checksum immediately, and start moving away from SHA-1 as it's security was becoming more vulnerable by the day. Researchers reccomended moving to SHA-256 to prevent accidental breach of data security (sooner, rather than later). There have been many different cracks involving SHA-1 (albiet simplified versions, but you just knew more would eventually be coming). Well it's here now! SHA-512 here we come!
I'm not sure if you are talking about retrieving the original file from the hash, but if you are, then you don't understand what hash functions are for.
Dude, when they release a new morphix iso I save tons of bandwidth by downloading the md5 then reconstructing it from that. You wouldn't think they'd be able to fit 0.7G in a dozen or so characters, but that's the marvel of encryption! No more wasting CDs; I just jot the OS down on a scrap of paper or failing that, my arm.
Explain to me why this isn't useful for compression?
I know it's next to impossible to create the data from the hash but shouldn't it be theoretically possible?
If the hash reduces the possible files which match it by 99.999% then shouldn't it be possible to send that much less data?
I'm actually working on an app that was going to use SHA-1 for integrity verification. I may just stick with SHA-1 because I'm not terribly familiar with the other options out there in this realm. So ideally, what should new apps use these days? What would be the recommended "safe" algorithm? And can I find a nice, tested C library/code for it? :-)
Hexy - a strategy game for iPhone/iPod Touch
There is no way in hell you can hash a 700MB file in 0.01 seconds.
A couple of years ago, I was fooling around with random number generators and wondered if a random search of a space (used generically as a range of values) would be faster than a linear search through the same space.
The answer, in my small tests, was yes. I only got up to a couple of thousand digits before I got bored, but the random search tended to beat the linear search about 60% of the time.
In cases where the random search beat the linear search, the random search found the answer in substantially less time than the linear search.
I have no idea why this should be, but there it is. My random number generator was www.random.org.
I'm sure nobody else'll try, but if you do, post the results.
MD5 was 'broken' in 1995 by Hans Dobbertin who discovered compressor function collisions. It was almost another 10 years before the compressor function collisions were turned into an attack which produced hash collisions.
So there is a serious security problem here but it does not mean that everything that uses SHA-1 is now vulnerable. There are many applications where MD5 is completely adequate. If you have a really good reason to do so and a really good understanding of the security requirements and risks you can use even something like MD2.
Today paul Kocher complained that Microsoft was using MD5 in its anti-spyware to identify known bad software. This is not actually a major problem, much worse would be using MD5 to identify known good software to keep, that is when a collision would bite. For known bad programs well i don't want any variant of the program to run...
But if you are writing an entirely new application then use SHA-256 or SHA-512, more rounds, more bits.
Meanwhile we need to research some new hash functions pronto.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Guess I wnont be using SHA afterall...
Bot Assisted Blogging
i'm pretty sure that no such agency exists.
ee.
Wikileaks, no DNS
So if I download a .deb, .rpm, .iso or whatever and check it with sha-1, there's a chance that it could have been tampered with in such a way to create the same sha-1 hash.
But what if I check it with md5 *as well*? What are the chances of finding a change that will create the same sha-1 has AND the same md5 hash?
I wonder: Did they use the "Chinese Lottery" to break it? *g*
Keep open minded - but not that open your brain falls out...
Well, computer design doesn't allow infinite number of combinations of bytes. Since every computer has limited resources, the number of combinations in digital computer is always finite, even if this number can be very very very very very very big.
- you don't have to do it yourself. It's possible to ask somebody who can do it
- there is a tradeoff between memory and calculation. If you have a lot of precalculated data to work with, Calculation is much shorter. At one stage, practical decryption of DES used 100GB of stored data. Later this was reduced to 1.4GB or two CD's. I recall site somewhere that demonstrates decrypting passwords in about 10 seconds.
That is nothing. This post has been encrypted with an unbreakable one-time-pad! TWICE!
For password hashes this attack shouldn't be a problem, if it is as described in the article. The attack does only one thing: allows an attacker to generate two streams of data which hash to the same value. This is a problem for digital signatures, because somebody can sign one data stream, then distribute another with the same signature. So the signature doesn't guarantee the data has not been modified
Even for signatures, it depends on the application. There are two types of collision resistance:
- Weak collision resistance: Given x, I cannot coumpute y s.t. H(x)=H(y)
- Strong collision resistance: I cannot compute arbitrary x,y s.t. H(x)=H(y)
Usually collision results show that a hash algorithm is not strong resistant.
So if I want to create random data (a nonce) and sign it there is a problem, I can create x,y with the same signature. However if I want to sign something specific, say an email, then I have to break weak resistance, random x,y won't do since x is unlikely to be the email I wrote.
the 1.4GB storage approach specifically applied to windows passwords, not general DES decryption(and not triple DES either).
I guess I missed posting this before the bulk of the posts, but maybe it'll help someone.
First: MD* SHA-* etc - they are all basically the SAME algorithm! The are just minor modifications of the same exact thing, so a break in one is a break in all.
Second: Tons and tons of people ask: can't we merge two hashes together and get a stronger one? Yes you can that's EXACTLY what MD* and HA-* DO! They are a combination of different hashes! That's how they work.
So if you really did have a good combo of hashes then just give them a name and use them as a hash - don't bother just plain merging existing ones.
Also, merging say MD5 and SHA-1 is pointless - they are both based on the same hashing code! You are gaining nothing by merging them.
-Ariel
Can we do both an md5sum and a SHA-1 on the same file?
Are the chances of finding a new file which produces the same hashes as the original any less by doing this?
Given that I don't understand the math of all this it would initially appear that if the chances of finding the hash in one case were 2**50 say, and in the other case 2**40, then the combined case ought to be at least as bad as 2**90. Its sort of double checking.
Extending the technique further - SHA the file multiple times but pass the data through in a different order each time. Imagine the data as a matrix, the first time we follow columns the next time we follow rows. OK it takes 2+ passes but hopefully its secure.
Maybe I've missed something but it looks like a simple solution without having to throw away the algorithms we already have.
This is the same team who broken MD4, MD5, HAVAL-128 and RIPEMD six months ago, so I'd rather believe this is true that calling them liars.
Why not make two hashes of a password using different algorithms, one using MD5 and the other using SHA-1. If an attacker was able to produce a password where the hash matched one it would be very unlikely to get the correct hash using the other algorithm unless the attacker had found the original password.
parent poster is a fucking racist dick.
I hope they get it fixed soon.
Gulf era veterans != gulf war veterans.
;P.
Apples & apples, please, mmkay?
As of 2003:
About 209,000 Gulf War veterans have filed claims with the Veterans Administration, and 161,000 of them are receiving disability payments.
From CNN, January, 2003.
This would represent 36% and 28% respectively, using your number for the number of Gulf War veterans.
I looked at a few of the papers on your web site, and did chi^2 testing on the figures; for instance, from the "Effects of War in Iraq" paper by Dr. Al-Ali, there is only a 15% chance of there being a relation between exposure and cancer rates. That is, if the figures can be believed.
The paper says there was a rate of 11 cancers per 100,000 in 1988 and 123 per 100,000 in 2002. The United States cancer incidence rate is about 550 per 100,000, and the death rate is about 250 per 100,000. While other countries have lower cancer rates, none have rates below 250 per 100,000; therefore, it's pretty hard for me to believe that Basra had a rate of 11 per 100,000 in 1988.
It's pretty easy to show a connection when you just make up numbers and don't test for statistical significance
Of course, us paranoid furriners used to legally run Fortify on the binaries to re-enable the 128 bit ciphers.
People keep saying that this situation may have unpleasant implications for digital signatures. The way I see it, this simply means that someone else can create another text with the same hash as the text I just typed in my email client, and use the exact same signature. But the other text will probably be just some RANDOM JUNK. I don't see how they'll make any use of it.
The question was: "OverlordQ (264228): DES had a weakness nobody but the NSA knew about, so they recommended changes to it without saying the reasons for them. years later an attack was found against DES, but the NSA changes prevented it from being useful. Why would they change their tune to SHA-1?"
The answer was: "bergeron76 (176351): [cough] Republican President [cough]
Got it now?
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
How did you do a linear search? Did you just try one number after another until you reached your target number?
I could be wrong, but I think the problem is that your linear search is not searching the space uniformly; it favors lower numbers (or higher numbers) more than the opposite, despite the fact that the numbers are chosen uniformly. Further, the probability that a random search will hit a low number is higher than the probability that the linear search will reach a high number for any sufficiently large set. In other words, the RNG has an advantage probabilistically.
Instead of a linear search, try subdividing the space each time, which guarantees a roughly uniform search of the space. So, for example, if you were guessing the range of 0-10, you'd guess in this order (I subdivided and rounded up or down, alternating):
5 0 10 2 7 1 4 9 3 8 6
There are other ways of doing uniform searches. Pick one and see if your results aren't better.
Mod me down and I will become more powerful than you can possibly imagine!
If you have "openssl" installed, you could also use openssl to generate the hashes. (supported hashes)
For md5 hashes:
$ openssl md5 filenames...
Output: MD5(filename)= hash
For sha1 hashes:
$ openssl sha1 filenames...
Output: SHA1(filename)= hash
Yes, SHA-1 is one-way only. Whoosh! Whoosh!
Ok, if my file consists of the line "Hello World." then I get the following hashes:
1 7c 971f1b1b667e0732944df7
770b95bb61d5b0406c135b6e42260580 for MD5
b924c2f360b572e17c971f1b1b667e0732944df7 for SHA-1
Trying to tinker around with the file and make both hashes come out the same as above would presumably be much more difficult than for any single hashing algorithm, and it might very well be nigh impossible. The little light bulb has finally come on. Now I get it. Yeah using two hash algorithms together would probably work nicely. Don't combine the results mathematically, just append the keys together into a big long string. The final MD5+SHA1 hash key for my file would be:
770b95bb61d5b0406c135b6e42260580b924c2f360b572e
I don't know whether this would be stronger than a SHA-2 of equivalent bit length or not, but now I get what some of you have been saying. From a common sense view, it would seem that something like this would be pretty darn tough to crack, because you would have to make two different algorithms compute matching keys for a given dataset.
Clickety Click
I was required to apply for a munitions export license from the US State Department when I wanted to buy some cryptographic hardware from the US in 2001 (I live in the UK).
They seemed to process it automatically -- I doubt they did a background check in the time it took, but the process was still there then at any rate.
Cheers,
Phil
I guess today is a passable day to die.
Maybe we should start encoding meta-data along with the hash, so instead of trusting only on the hash to confirm that the message is from who sign it, we would encode along the message, the size, type and whatever characteristic could define the message.
For instance, suppose I sign the message "Hi, I'm Victor", along with the hash it would contain the size (14 bytes), type (English text), encoding (7bits ASCII) and how about the range of codes used in the messages (from U+0027 - U+0074).
A good hash would give a uniformly distributed random hash for the message, so it is safe to assume that even if we could find a collision, it would be highly unprovable that it would satisfy all the meta-data. In some cases it could be provable that this kind of hash is unbreakable, since there is a finite number of messages that satisfy the meta-data (if you could hash all possibilities and verify that there were no collisions you're 100% safe).
[]'s Victor Bogado da Silva Lins
^[:wq
Hmm. What does this mean for Curious Yellow a theoretical superworm that uses SHA-1 to hash the addresses of infected computers and form a slow spreading, nearly silent network of zombie boxes awaiting arbitary code.
If CY doesn't upgrade its hash, then its network would be exposed.
NIST announced on 2/7 (days before) that an upgrade from SHA-1 is being forced, but that "SHA-1 is not broken
here's the article.
Comeon get me NSA! Crack down my emails... it will take you about 30 billion years or so but whats the hurry anyways...
I think you misspelled "fucking".
But with 64-bit CPUs pretty common now, Tiger is looking good...
Xenu loves you!
You don't need it for most implementations. In most systems that use hashes for password security, you provide a string to the system. The system computes a hash and compairs it to the stored value.
if you know the hash, you simply provide another string with the same hash. In effect, every hash used for passwords probably has more than one plaintext.
Some systems complicate this by using some known, preshared value which is concatinated to the plaintext before hashing. This would require you to know some of the plaintext in order to calculate a subsitute string. But without that complication, this is pretty straight forward substitution without knowing the plaintext (password)
There is also a protection against attacks on digital signatures that uses birthday party paradox trick. Right before signing the message you ADD some arbitrary text at the end of the message and AFTER THAT algorithm calculates hash and signature. So if someone prepared 2 texts that give same hash and hence same digital signature, now they lost there tremendous amount of preparation work.
Pretty much the same idea is in salt. Though here you add salt at the very last minute.
That's an awfully vague term. We've got an Ethernet hub with a corner knocked off its case, so theoretically you could say it's "broken", but it still works as well as it ever did. A lot of cryptologic results are like that: we know more than we did before about X, but X is not suddenly rendered useless or even worrisomely less strong. Whereas, in the movies, "we broke their code" generally means, "we have the key and can read their secret messages as quickly and easily as they can."
Six years ago, I was developing an application on a microcontroller http://mywebpages.comcast.net/orb/, and it used MD2 because it has a small code and memory footprint. Experts at the time said that I should use SHA-1 or MD5 because a simplified version of MD2 had been broken, and the full MD2 was sure to follow. Those hashes would not work on the chosen microcontroller, so I used MD2 anyway.
Is MD2 broken? If not, the irony is apparent.
For bonus points, my kernel is 1e47925e07c0cc69d753c9261eecee79f0c1b260. Add in a rootkit without changing the hash.
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Combine SHA-1 and MD5 outputs.
What are the chances of:
let X,Y, such as X != Y and sha-1(X) = sha-1(Y) and md5(X) = md5(Y).
I say X,Y does not exist.
Presumably it's the same motivation they have for trying to ruin Slashdot.
According to this news piece, NIST is planning on switching to -256 or -512. In a nice touch, the piece adds:
Of course, the news piece was over a week ago, and ya gotta love those government weasle words. =)I suspect using multiple fingerprints (MD5+SHA-something) will probably be a practical step for the even the non-government paranoids in the short-term. The time for finding a dupe rise drastically with multi-fingerprint matching, especially given the current "attacks" have been only marginally computationally possible until quantum computing with hash-sized quantities of qbits is made to work.
//Information does not want to be free; it wants to breed.
If the war in Iraq didn't teach you that the government doesn't have uberalien teck then nothing will.
Is there a special place that the Government takes all the Genius children so that they can work behind the close Iron curtains on Government alien teck.
Wake up, smell the roses, The government really is run by a bunch of stupid religious right wingers.
thank God the internet isn't a human right.
Why do I feel like Slashdot is the FOX News of the internet. They put up flashy titles like, "SHA-1 Broken" in order to attract readers. Headlines like this, along with the with the article summary, it gives the impression that something major has actually happend, like someone finding a reverse hash function. When, in reality, what we really have here, is a way to produce 2 files, with the same key, but which still requires massive amounts of computing power.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Nobody will break this:
a=SHA256(s)
b=MD5(a+s)
SHAM(s)=SHA1(b+a)
Of course, since this is Slashdot, it should also be pointed out that the poster claimed to not be able to read the parent's post because it was encrypted in ROT-26, but ROT-26 was mentioned as the encryption method in, and only in, the post itself. Therefore, the person claiming to not be able to read it was lying!
My beliefs do not require that you agree with them.
Now I can type a simple password, and produce a complex password that has the same hash.
I'd type the complex one "32l;lkd49fj32*93f-FR" just once: When I create my account on the web site that demands that I have at least 8 characters, and some of them must be numeric and some must be non-alpha and so on.
After that, I can just type my usual "foo" as password and it'll accept it because the hash fits.
Huray.
Musicians don't die. They just decompose.
Maybe that used that computer mentioned in the story above?
-- I Dont Deserve A Sig I Have Bad Karma
This doesn't seem likely even with my tinfoil hat mode fully engated.
If we were talking about an encryption scheme, the temptation would be there. If it were and encryption scheme adopted by The Bad Guys (tm) then NSA would of course be able to read their secret communications.
But that's not what SHA is for. It's to allow a piece of data to be authenticated. You can satisfy that that this file is indeed from me based on a simple number computed from it and a secret we both share. When thegovernment procures a piece of software that is going to do something like launch nuclear missiles, it would be nice if that software could figure out whether the order really came from PotUS. On the other hand, when the order comes from Osama to fly the plane into the WTC, authentication of that order, while useful, is not as critical.
So, the national security interests here are clearly in favor of their being a publicly available, secure hash function.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Yes, that's the trick that some seem to be missing here when they talk about computing hash values faster than you suggest. You gotta read the whole file to compute a hash UNLESS you've only changed the last part of the file, in which case you could take the cumulative result and work from that point. If someone can show that the SHA-1 shortcuts the researchers found allow you to change data specifically at the end of the file, please correct me. Until then I'll assume that any assertions to the contrary are merely wild speculation.
Here are some real numbers for computing various hash values using Crypto++ 5.2.1. Even on a 1.6 GHz Opteron, SHA-1 hashes are computed at a rate of 100 MB/sec. Even a truckload of Opterons won't finish the job any time soon.
As others have pointed out, I can create 2 documents, X and Y, have a target sign one, then substitute the other. His digital signature will be valid for both. Great - it takes only 2^69 attempts to get a collision - I'm sure the chances that the X and Y found will both be valid English documents, one of which I could convince a target to sign, the other allowing me to scam him out of enough money to make the whole ordeal worthwhile.
However, people keep copies of what they sign. Even if I did find a collision, and even if both documents were valid English text, the guy could say "I didn't sign Y - look, my signature is valid for X - he scammed me". Great.
The more likely scenario is someone signing their own document, then claiming it was fraudulent. They could create their own X and Y, sign X that somehow involves another party, then claim they actually signed Y and this other party was the scammer. But they still have to find X and Y in 2^69 steps such that both make logical sense in the English language - no simple task.
This is cool in a theoretical sense, but in a practical sense, its like saying you don't need a million monkeys on a million typewriters typing for a million years to generate Shakespeare; it'll only take 999,999 monkeys on 999,999 typewriters...
Or, to go back to the theoretical world: with processor speeds doubling every 1.5 years, and this team shaving 11 factors of 2 off of the break time, the lifetime of SHA-1 just shortened by about 16.5 years. Not quite the end of the world as we know it.
Step 1: Break SHA-1
Step 2: ?
Step 3: Profit!
And how long now before kids are cracking it in an afternoon using interconnected PS3s?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Does this mean the bad-guy-of-your-choice can now start forging digital contracts? Not yet - there is no guarantee that the collision will be meaningful (as least their earlier papers didn't show that result). For a forgery to be useful, the forger needs to make the fake message say something useful - may be change the $1 to $1 million, or change the name, or something. A collision at a random place (or a non-sensical string) is essentially useless as a forgery (there may be some interested DOS attacks, but I am talking about outright forgery which is the point of the hash functions).
The real worry here is not that this break is practical (it's not) but that it will become practical in the future. And the stuff that is using it right now will retroactively be broken and untrustworthy.
The gist of this particular break is that instead of a 2^80 attack to generate two documents with the same hash, is that it's now a 2^69 attack. Okay, yeah, bummer and all, but it is still impractical. However, analysis of the way in which this reduction is done may lead to further insights.
If somebody can generate two files with the same hash, BFD, nobody cares. But if somebody can figure out how to take an existing file and add or modify bytes to change it's hash to some given hash, then there's real cause for alarm. Because then I can, say, take your signature off some document and change some other document to have the same hash (by adding hidden comment bytes to it or whatever, depending on the document format), and thus make it look like you signed the original document. Or I can put some malicious code in place of some valid code and make the malicious code's hash look like it's the valid code's.
With CRC32, for example, this is pretty trivial to do. Modifying a file to have any CRC you want can be done by changing only 4 bytes of the file. This is why nobody uses CRC32 anymore.
So this break doesn't mean that SHA1 is useless, but it does mean that it might become useless in the future and so stopping use of it now is probably a good idea.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
There is no such restriction on software (since 2000, as I have been previously corrected)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
At least they gave the algorithm. If their synopsis is indicative of the paper, they illustrate that SHA-1 has collisions, and collisions can be discovered through the awesomely sophisticated technique of brute force. Pardon me while I dust off my bomb shelter.
Let's wait for the actual paper. If it takes more CPU power to force a collision within a year than the whole of what IBM sells in that year, I think that the hash is doing its job...
I am no longer wasting my time with slashdot
http://www.doxpara.com/md5_someday.pdf
s/md5/sha-1/g
care to explain?
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
In the wake of crypto there was a general agreement that the industry needs to move to a new digest algorithm. I am not a cryptographer, I am a consumer of their work product as a protocol designer.
I agree that SHA-256/SHA-512 may turn out to not be the final choice. When the crypto-2004 results came out there was a push to go for the new hash functions, given the status of SHA-1 then I said that I want to wait till I hear whether the SHA-2 digests are also vulnerable to the Biham neutral bit technique or a variation of it.
At this point however we have to make a decision on the cipher function for Domain Keys/Identified Internet Mail in the next few months. I think we need to hold a council meeting with the cryptographers next week. So in that context we may have to go with SHA-256 and hope that there are at least 2^100 bits of security there.
Another choice that we may want to look at is using an HMAC as a signature digest primative.
Meanwhile we need a competition for a new digest function. The cryptographers had fun last time. Lets do it again. I will bring this up with NIST this afternoon.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Sounds like you're investing all your faith in one man. Bad plan.
Oh for christ fucking sakes, use your head.
The whole task presented by a hash is to provide a summary of a larger corpus of data. All an MD5 or SHA1 hash is is a massive expansion on the idea of a checksum.
Now in, say, SHA1, you've got 160 bits, and you're asking those 160 bits to give you a summary of a zip file that is, say, 200KB in size, which is 1,638,400 bits.
It's mathematically impossible to expect that 160 bit string is going to be unique for every possible combination of those 1,638,400 bits. The problem is how far you need to go to find two that match on the same size. But its bound to happen because it's impossible to expect otherwise.
Why is this still not a problem -- and why is MD5 not suddenly just a stupid little runt, either? Because the fact that you've found two random bitstreams of the same length that have the same SHA1 or even MD5 checksum doesn't mean that both (or *either*) of those bitstreams are going to make any sense -- or have any similarity to each other.
The FUD about these hash collisions is that "oh no, now I can't be absolutely certain that this 160-bit string, and this to-the-byte filesize can actually identify more than one file!" So what? Whose to say that these files have any similary to each other that would actually result in a malicious or even malfunctioning attack? How likely is it that these multiple bitstreams are going to be any of: interpretable on the same architecture, uncompressable by the same algorithm, compilable in the same language, in the same structured format, even in the same language? Pretty frickin slim, I'd say.
Hashes are NOT unique identifiers. Not even combined with file size. Not even combined with file size *and* a second hash (say, SHA-1 *and* MD5, which would of course be more unique than SHA-1 and file size alone). All of these details, even combined, represent a much smaller set of possibilities than any file of any reasonable length (greater than 128 bits + 512 bits + bits in a given filesize value).
Neither SHA-1 or MD5 hashes are going to give you absolute assurance that the bits you get are the bits you were supposed to get. But its going to be pretty damned impressive if anyone manages to create malicious code or manipulated data that matches the filesize and checksum (even MD5) of a legitimate package.
Terrorists can attack freedom, but only Congress can destroy it.
Let me point out that an executable can have any amount of abrbitrary junk appended to it, or stuck in the middle, so signed executables make a great candidate for this type of attack (though of course the attack wouldn't work unmodified, it is entirely possible that it could be fixed). In addition, the same techniques (which are now, or soon to be, public knowledge) might be useful in constructing more serious attacks, even though the current attack isn't very useful, which was my main point. Let me further point out that only a moron wouldn't realize that hashes aren't unique, and by spending most of your post needlessly flailing that dead horse you have only proved how badly you missed the point.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
Ok, another encryption algo broken. Yay.
The day someone figures out how to break 1-time crypto (ie. one-way encryption w/o a key) is the day I actually become concerned about XYZ algorithm being broken.
You can build better locks, but as long as the crackers have the time and resources to crack, there's not much else you can do (aside from building a better lock).
This is just my opinion on everything.
Insert Sig Here
The two blocks are gibberish, but that's OK because much information these days is expressed in the form of computer programs: HTML, Microsoft Word documents, application programs, etc. It's easy to put a block of gibberish in them that is "invisible". To attack, make a program with the special block of data, and have it check the data. If the block has one value, the program only does friendly things. If the block has the other value, the program does something hostile. You can get the first one reviewed, formally proven to be secure, whatever the victim wants, and later slip them a hostile file with the same checksum.
I have not looked closely at the cancer data, but it wouldn't suprise me if their incident rate is naturally much lower than ours; their birth defect rate was half that of the U.S. in 1990.
Also, based on some slides I saw from a presentation, I think maybe data should more accurately be labeled "cancerous tumors," as it probably doesn't include leukemia, pancreatic, colon, prostate, and other cancers that don't present with an externally detectable lump.
I meant to do that.
Floating face-down in a river of regret...and thoughts of you...
Authorization Key: KTW4S2QYW4XT666XTRQHJ9S0P
From: Anonymous Satan Claus
10
9
8
7
6 National Security Agency: We've a lot of desastrous problems!!!
5
4 We've not time to stop these problems!
3
2
1
0
PAMMMPPppp, BROOOOooooWwwwwWWWNNNnnn, SSSsss, ZZZzzz, ZZZzzz, ZZZzzz. Aleluya!!Aleluya!!Aleluya!!
Everytime the crypto community hears about a new kind of attack, that's very big news. The reason for this is that one attack is often just a member of a whole new class of related attacks.
Any cryptanalyst or cryptographer reading about this should be really worried; until the community finds out how big this class really is.
SHA-1 is just a hash algorithm; breaking it would probably affect programs that use it; but that's not such a big deal in practical life. OTOH in theory and within the crypto community, it's utterly important.
cpghost at Cordula's Web.
1's and 0's should be free.
Unfortionetly, it has come to light that ROT-13 is no longer an effective encryption algorithm. Therefore, I recommend moving to a new system, called Triple ROT-13, or 3ROT-13. This algorithm fuctions in the following way: 1) Encode with ROT-13 2) Decode with ROT-13 3) Encode with ROT-13 This method allows compatability with legacy ROT-13 systems, by using the same method of encryption in step 1 as the decryption in step 2.
Where can I find the nearest DCMA enforcement officer?
This sig is intentionally blank
Yes, I am surprised. SHA-1 was designed from the ground up to be secure (iirc unlike MD5 which was only designed to stop random corruption, not malicious modification) and I thought it ought to be. The length will always need to be increased as computers get more powerful, but a hashing algorithm that always makes it a lot harder to create two docs with the same hash than compute the hash of a document should be doable.
I am trolling
The point of my post was:
- The 'attack' isn't an attack
- SHA1 is trivial to crack (trivial in terms of code) that is, EVERYONE knows how to crack it, which is good
- third point, it is computationally unviable to use a trivial attack against a SHA1 hash.
It is always a risk trying to say to much in too many ways, as mods rarely like to read into what you say, and as you yourself have misinterpretted what I have said to be the exact opposite, you should try and deal with your own s/n issues.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
The 'simply' bit is what's wrong with your argument. This attack does not provide a way to do it, so without the original plaintext you'd still have to brute force a string which yields the hash you want. This is still computationally infeasible.
Their method only guarantees two different plaintexts which hash to the same value. It does not, however, guarantee any particular hash value -- you need this for password breaking since you must obtain a value which hashes to the (fixed) hash value of the user's password.
HAND.
Interesting suggestion, I wish I had mod points.
This will only _really_ help you if the last kilobyte (and because of how those algorithms work, it need to be the last kB) is, at least in part, executed. See the other post about the birthday paradox why even this is a bit useless for matching with a given hash as opposed to just finding two colliosions.
All this spyware bogging them down acts like three instances of SETI@home plus a few of folding@home..