Slashdot Mirror
More on Newly Broken SHA-1
AnonymousStudent writes "Details are out about the reported broken SHA-1 hash function. The findings are that SHA-1 is not collision free and can be broken in 2^69 attempts instead of 2^80. This is about 2000 times faster. With todays computing power and Moores Law, a SHA-1 hash does not last too long. Using a modified DES Cracker, for the small sum of up to $38M, SHA-1 can be broken in 56 hours, with current computing power. In 18 months, the cost should go down by half. Jon Callas, PGP's CTO, put it best: 'It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off.' As Schneier suggests, 'It's time for us all to migrate away from SHA-1.' Alternatives include SHA-256 and SHA-512."
Do people really still use SHA-1?
I've been using SHA-256 for a while now.
2^69 attempts instead of 2^80 seems like only 11 times faster, then again, thats just me.
2^80 = 2^11 * 2^69 = 2048 * 2^69
2^69 = 590295810358705651712
2^80 = 1208925819614629174706176
2^80 / 2 ^ 69 = 2^11, which = 2048.
Yep. 2000 times faster.
No, it's 2^11 times faster, which is 2048 times faster... Rule:
a^n / a^m = a^(n-m)
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
2^11 = 2048
2^80 / 2^69 = 2^11 = 2048
The new SHA-1 break only affects very carefully constructed messages. This means that it is completely useless for an attacker impersonating an existing message, unless that message was purposely constructed to be attackable. The attack is only useful if the attacker creates both messages, and the attacker can choose the exact format of both messages.
- Sam Ruby
2*2*2*2*2*2*2*2*2*2*2 = 2048 times faster
Someone you trust is one of us.
"The findings are that SHA-1 is not collision free"
Since when is it possible to have a collision free hash when the hashed data has more possibile bit combinations than the hash itself?
Genuine question.
SHA-1? pshhhh. They should be using SHA+1. Thats 2 more!
Jesus Christ. In the time it took to write my post (all of 30 seconds), five other people replied to you.
Just goes to show, the quickest and most effective way to get information on the net is to post something that is wrong.
The findings are that SHA-1 is not collision free and can be broken in 2^69 attempts instead of 2^80.
Well, doh - it's a hash you silly, there will always be collisions.
Anyway, it's nothing to panic about really. The ammount of computer power needed to crack it is still massive. Unless you're investigated by the NSA, SHA-1 will be fine for quite a while.
Jesus people, I passed 8th grade....or did I? =)
We need to develop algorithms aside of SHA. SHA-256 only postpones the problem...
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
http://www.google.com/search?q=2^80+/+2^69&sourcei d=opera&num=0&ie=utf-8&oe=utf-8
I bet $50 that a hard drive manufacturer came up with that!
Kidding about math on /.? You should know better...
so you are saying daryl is prepping his 10-k for transmission now?
every day http://en.wikipedia.org/wiki/Special:Random
Aren't these rarely isolated incidents?
Isn't the probability of discovering further compromises by widespread cryptanalysis of this discovery extremely high?
Totally agree, however in the crypto community (which I cannot claim to be part of) the consensus is generally that if a weakness if found in an algorithm then it begs the question - "what other weaknesses are there".
Once an algorithms strength is in doubt by the presence of even one weakness people feel very reluctant to trust it.
Its probably up to everyone to see how this affects their own circumstances. Crypto is always about Knowing your enemy (the paranoia has now kicked in !). When picking a scheme one always makes a number of assumptions - Who are you keeping the information hidden from, what resources do they have, how badly do they want it.
No crypto is powerful, or clever enough (yet!) to be completely unbreakable so its all down to making assumptions:
1)
Would someone be willing to pay $38 million (assuming this is correct) to get my credit card number - probably not.
2)
Would someone be willing to pay $38 million to get insider info on a merger between two banks - each worth over $10 billion.
What unsettles people is that their previous assumptions on SHA-1 are now invalid.
[ Monday is a terrible way to spend one seventh of your life. ]
2^80 / 2^69 = 80 - 69 = 12
Wow! 2^69 instead on 2^80. The reality is that use of SHA-1 STILL places a significant cyptographic barrier in front of an attacker trying to discover the contents of hashed payload. I'd argue that using any form of cryptography (save null) presents a barrier that the average hacker won't even attempt to overcome.
Anyone who has never made a mistake has never tried anything new.
If one flips a bit in a file, is it "easy" to find a correcting bit flip(s) that returns the file to its old hash value? If so, can one create a slightly modified copy of a file by flipping the bits one wants changed and then doing a series of counterflips (in an unused part of the file) to "undo" the effects of the nefarious change?
Two wrongs don't make a right, but three lefts do.
Using a modified DES Cracker, for the small sum of up to $38M, SHA-1 can be broken in 56 hours, with current computing power.
Is that assuming that that the collision will be found on the last (or in this case, 590,295,810,358,705,651,712nd time) try?
Because statistically it's just as likely you will find a collision on the first try as you are on the last try.
It costs $38M to crack SHA-1 now. According to Moore's law, this will be cut by 25% every 3 years.
The cost of cracking SHA-1 in...
3 Years - $9.5 Million
6 Years - $2.3 Million
9 Years - $600,000
12 Years - $150,000
15 Years - $37,000
18 Years - $9,000
21 Years - $2,500
My Blog Sucks.
So someone with $36 million to throw around can, in 56 hours, produce two random messages with the same SHA-1.
::cough::
Great.
So, presumably, this devious (and very rich) hacker might produce the following two messages:
"bma p3 rjphta,-9p.u2#H50982u.yha,cp. hxasnip"
and
"BUEQXBBX2 jma93#9g5xbaida htuEXOAhkra1255,y"
And then, of course, he'd somehow trick me into signing "bma p3 rjphta,-9p.u2#H50982u.yha,cp. hxasnip". Because I sign random pieces of gibberish all the time, if asked. And then, having done this, he could go around claiming that I had actually signed "BUEQXBBX2 jma93#9g5xbaida htuEXOAhkra1255,y".
OH NO!
Sure. Moving to SHA-256 is all well and good. But, frankly, I think these reports are horribly overblown. Crypto geeks are jumping up and down with their hair on fire (just like George Tenet!) because their perfect algorithm is slighly less perfect in a way that doesn't have any real practical meaning in most situations.
Meanwhile, there are real security problems out there in the form of poorly written software and poorly administered systems. Please, please do not spend your time rewriting your software to use SHA-256 when you could be patching real security holes. Leave SHA-256 until you have nothing better to do.
Yes, but say someone creates a document (such as a contract) for you to digitally sign.
If they're prepared to spend a realistic level of time on it they could create two of them that hash to the same thing, with a small but effective change to the second.
You sign the first with SHA-1, but your signature also matches on the second, putting you in a weak position when you try and claim "I didn't sign _that_!"
The time/money requirements to do this aren't really practical yet, but they will be soon.
As the sub says, time to start shifting off SHA-1.
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
it wasn't funny and the moderation is disturbing
Encrypting something is many orders of magnitude less complex than breaking the encryption. Moore's Law means that more complex encoding becomes practical at an exponentially faster rate than the ability to break it. Today's encryption is far more secure than anything in the past inspite of all these advances in code-breaking. Of course this doesn't stop people from using old methods which were once secure but now are not...
You don't understand the issue. Digital signatures are still safe.
its just a collision attack, not a preimage attack, so for encryption of an email there is still nothing to fear as far as i understood the problem.
The concern is not so much that the method described in this break is feasible on today's hardware, or even that this method will get cheaper and cheaper as hardware gets faster. The BIG concern is that this method provides insight in to the SHA-1 in general, and will be used by others to come up with more efficient breaks or more egregious flaws.
omg 2^11 = 2000 noob
I'll take that bet! (And you owe me $64 if you lose.)
http://netlab.fe.up.pt/~ei01024/sha-1/
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
Creating pseudo-random numbers that hash to the same value != making any arbitrary document hash to the same value.
It's tragic. Laugh.
No. It means that it took 2^80 "computations" and it now takes 2^69 "computations".n ode17.html.
O(2^80) = O(2^69) = O(1). See for example http://mitpress.mit.edu/sicp/full-text/sicp/book/
..a (new) system that handled user authentication (and obviously registration) would also store information about which hash code algorithm was used at the time the user registered.
SystemHashCoding = 1 = MD5
SystemHashCoding = 2 = SHA0
SystemHashCoding = 3 = SHA1
SystemHashCoding = n = x
UserHashCoding = 3
The UserHashCodingData field would be extended to accomodate longer values in the future.
The update would be applied when an existing user with a different hash coding changed her or his password.
SHA-2 in 256 and 512 bit flavors isn't the only alternative folks. Among other nifty hashes, there's whirlpool: Linux 2.6 kernel crypto API entry for whirlpool and a page with whirlpool details.
http://tinyurl.com/4ny52
Dude, I may be the first to point this out:
While the bumbers are only 11 difference yes, 69 is a much slower method for most 80, though I'm not sure its 2000 either.
One-way hash functions are supposed to have two properties. One, they're one way. This means that it is easy to take a message and compute the hash value, but it's impossible to take a hash value and recreate the original message. (By "impossible" I mean "can't be done in any reasonable amount of time.") Two, they're collision free. This means that it is impossible to find two messages that hash to the same hash value. The cryptographic reasoning behind these two properties is subtle, and I invite curious readers to learn more in my book Applied Cryptography.
If I'm reading this right, then he's saying
1. The hashing function must be 1-to-1 and onto
2. The hashing function cannot be invertible
How is this possible?
Before any liberals are tempted to mod up one of my comments, a word of warning: I'm actually making fun of you.
Since we have the formula to extract digits of PI, what about this algorithm:
n = 0
do while not eof(data)
byte = next input data
for each bit in byte.0-7
n = n * (bit + 1) + 1
n = n + digit at PI[n]
next
loop
hash (digest) = 32 digits at PI[n...n+31]
Could one reconstruct the data by searching for the hash in the digit sequence of PI? Probably not, because there are several ways to get to a certain digit number.
... does not mean what you think it means. Look it up.
All crypto algorithms age, and even if the news of SHA-1's death is somewhat dramaticised by people who make their living from security work, it's important to see _all_ crypto algorithms as temporary shims.
That is why anyone developing new protocols and products that rely on security should use SASL, which abstracts the crypto layers in such a way that it's easy to change them over time.
SASL is an IETF standard and there are open source implementations like Cyrus.
Sig for sale or rent. One previous user. Inquire within.
The £38mn is to build the machine. It is in 1-time use for 56 hours.
There are 8776 hours in a year. Assume the machine has a life of 3 years before it becomes obselete. That means (discouting TVM at 0% for simplicity) the machine can do 470 problems of this type in three years, breaking even at a little over $80 per problem.
Damn that just got a lot lot cheaper.
Having worked in the crypto field, I thought I would take some time to clear up a few misconceptions. First off, the results of this paper in no way compromise the security of email or other data encrypted with algorithms that use this hash. As an extension of Moore's law prevails, these characteristics of any hash function are bound to be discovered. However, with that said, it is important to realize that this new discovery in mathematics allows us to move forward with hash technology to develop better algorithms.
Hash algorithms are one of the least understood principles in cryptography. The established mathematics around them is contemporarily vague, but under constant research. Therefore, anytime a new publication illustrates a flaw, technique, weakness, etc. we should be pleased that our understanding has grown and that a new, more advanced algorithm can be created with the knowledge gained.
This discovery is a not something to panic about, but rather an achievement that will bring about newer, stronger encryption technology.
I presume that finding two colliding contracts both written in a meaningful and legally binding language is harder than finding a simple collision.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
FIRST CORRECTION
15th actually, and you were wrong anyway.
When the understanding on a domain starts to gather - in other words the nut to crack - it usually does all the way. It's quite commong to knownledge. In such a notion for instance going to SHA-2 would be moronic and keeping using SHA-1 plain suicidal.
This is a lot worse than many people understand. 38 millions for a cracking machine? Yes, providing there isn't someone who knows one tiny bit more from the domain an has took off more from the complexity. For instance 2^40 would be a disaster. The sad fact is that it is near. Way too near for anyone who really cares.
1) Would someone be willing to pay $38 million (assuming this is correct) to get my credit card number - probably not.
He needs to pay the 38 million only once and can get a million every second day - sounds like a good deal. But OTOH his interest might be different, as you said in your bank merger example. However, there are things that are worth a lot although it is not as obvious as in this case. (Research stuff leading to military and industrial advantages.)
The slashdot secondary effect.
>In 18 months, the cost should go down by half. Nope. It will not. >Moores Law Never said your super computer cost would half and speed double every 18 months. Give Moore a rest.
An excellent troll. You got an enormous amount of gullible idiots to show their 'intelligence' by correcting you. Pure genius.
I presume that finding two colliding contracts both written in a meaningful and legally binding language is harder than finding a simple collision.
Write the contract in MS Word and use huge uncompressed BMPs for the company logos. You have instantly enough space for subtile changes to create collisions.
Why bother using SHA1 in the first place... what ever happened to MD5? Why not encrypt your data with two algorithms at once, that'd double the hacker's fun. Who has 38M million to blow on a cracker when good old free social engineering is around?
Or a pdf-file, i bet there is more that 69 bits of entropy there that is not visible to the reader.
FRA: STFU GTFO
I'll see your BSD and raise you a Public Domain.
If you post the same story enough times, eventualy your'll get the right combination and break it :)
--
There is no such thing as duplication, only verification, alas alot verify the stupid.
--
Thank you for this brief, yet reassuring analysis.
--AC
As I have not installed linux or solaris for over a year now, so I cannot comment on either of them... But I do know that all the *BSD's, at least, have native support for Blowfish (everything from user passwords to SSH, apache, java, etc).
Having found this and other comparisons, I see little reason to use SHA (any of the versions of it) for anything. Blowfish (BFS) has military grade strength and is insanely fast to compute. While the newer versions of SHA (-256 & -512) might be significantly more secure than SHA-1, they're still dog slow compared to BFS.
For all my encryption tasks I make sure to use BFS. Just my 2 cents.
/dev/random
Depends on the desired precision. :D
Never attribute to wittiness what can be attributed to plain, near infinite, stupidity. Yes, the typical /. poster is _that_ dumb.
http://it.slashdot.org/comments.pl?sid=139602&cid= 11685615
(no, it's not even the same nickname)
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
2)
Would someone be willing to pay $38 million to get insider info on a merger between two banks - each worth over $10 billion.
Except SHA-1 isn't an encryption scheme, it's a hashing algorithm. For your 38 million you could construct an machine that would create two random messages that hash to the same value. Totally useless. Really what you want to do is find a message that hashes to the same value of a specific message. Or even better you'd want to create an arbitrary message, tack on some header or footer and have that hash to some chosen hash.
If I understand message signing and digital signatures, an attacker wants to make it look like they're the intended target. Say I send a signed message to my bank saying "please transfer $1,000,000 to account 123456". An attacker wants to generate a message like "please transfer $1,000,000 to account -attacker account number- that will hash to the same value, so he/she can use the same signed digital signature. The 38 million dollar device won't be able to do that in 56 hours, I doubt you could do it in 56 years (and I highly suspect it would take MUCH MUCH longer).
AccountKiller
is to speak of averages. So, it is likely that 56 hours is the time to search half the keyspace on such a machine, as over a large number of uses, that will be the average time required per use.
I forget what 8 was for.
-"Please download my DC client." -"Whats it for?" -"Something good... err... cancer research, finding E.T. You know. Just download and run it! Geeze..."
Not quite right, you could simply use Wikipedia. //this is meta-funny, laugh!
IANAC(ryptographer)
Why don't they make a type of verification where both the hash and the filesize are used?
Seems to me that there are a finite number of comobnations of an x bit file that have the same hash, and in all likely hood they wouldn't be able to insert something malicious into one of those comobnations..
Can anyone point out why this wouldn't work? it seems kind of obvious to me, but again IANAC.
>>> FIRST CORRECTION
>> 15th actually, and you were wrong anyway.
> Depends on the desired precision.
Certainly. Because 1 is approximately equal to 15 for large values of 1 and small values of 15. If you squint.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
For 2, it's still cheaper to buy an insider.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Whenever I can't figure out how to do something in Linux, I just make a post saying, "Linux sucks because it can't do XXX like Windows can!"
Within 10 minutes, I'll have 50 replies from Linux gurus around the world telling me, "You idiot, Linux's implementation is better than Windows! You just do YYY and ZZZ and boom! Bill Gates sucks!"
While the bumbers are only 11 difference yes, 69 is a much slower method for most 80, though I'm not sure its 2000 either.
Wow. That's an absolutely amazing post. It's so wrong, on so many different levels, in so many different ways, and in so *few* words... impressive as hell. You have my respect, sir.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Here's a slight story for you. Certain gaming company 'X', in their online gaming services, uses SHA-1. However, how they implimented it, basically sucked. The person that found this posted it on a couple newsgroups, wanting to just just how heavily borked it was.
He didn't get around to verifying the results, however it cames back that one could see anything 12 bytes or less from the hash given. (Company X did a couple things that made this pointless, involving taking what was input, and then adding to it in order for it to form at least 22 bytes).
As the guy that explained this to me said, "See where this is going?"
The longer the hash, the more information you have to reverse. Meaning, hey, you can get more of the plaintext out of it, if you know what you're doing (and likewise, if the dev is incompetent).
On top of that, you know, a hash size that much larger is a LOT of more data to store.
I have no idea what SHA-1 is or why the heck it being cracked has made headlines twice now. Somebody want to explain this?
do not use moores law
Please do not mention moores law. Why not stop all research into CPU core technology, and just wait for my CPU in my computer to double its speed every 18 months.
If anything it is an insult to those minds who give us the CPU power that we have. It is taking it for granted, that these people develop the crazy shit they do.
And I hear people using it far too much, please do not use moores law.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
I'll see your Public Domain and raise you a TCP/IP network freeforall.
http://tinyurl.com/4ny52
Now that SHA-1 has been broken, there is another alternative besides SHA-256 and SHA-512 that the crypto experts forgot to mention: AYATOLLAH-1, a hash algorithm with fundamentalist fervor that shall beat back attempts to break it with fire and jihad.
Or, and this is a good one, you could do that. For any message that I create, and sign for SHA-1, it's now possible that I created another duplicate message, and that I could, at any point in the future, say "Oh no, I didn't sign _that_!"
So, there are two lessons to be learned.
1. Don't trust SHA1 as part of an algorithm for signing a document that someone else gave you. Actually, this is not so much of a risk, because any reasonable signature algorithm signs more than just a straight hash of the document.
2. Don't trust any document signed by someone else with an algorithm using SHA1, if they created that document themselves; they might have a way to repudiate that signature, leaving you out in the cold. This one is actually more dangerous.
The findings are that SHA-1 is not collision free
What, is that new? That already follows from the fact that there are only N possible hashes, and M possible messages, and NM. In other words, if you have an 8-bit hash (256 values) for a, say, 1K message, then you must get a lot of collisions.
If it takes only three days or so to find a collision, what does that mean practically? Almost nothing. Because the collision that you would find is most likely meaningless. The modification that you'd like to apply to the message (while sticking with the same, given hash) is likely to be something very specific, for example, change $1000 to $10.000. And that, unfortunately, is not easy. This vulnerability can't be easily exploited at this point.
But even saying that "if the algorithm has one vulnerability, then it's likely to have others" is totally illogical - unless a whole class of vulnerabilities has been pointed out.
It's not even time to 'walk to the door' because the fire alarm has gone off, as someone said later down in the comments. Instead, it's time to read the Chinese paper, produce more truthful descriptions of how much of a problem we are going to get with this (does it lead to more severe vulnerabilities), and start working on better hashing algorithms.
69 = dual felacio
80 = tittyfuck with oral
I think the GP is saying he(?) cums quicker with oral tittyfuck than 69 position, but not 2000 times quicker.
I think you fail it where it is understanding inuendo.
[NB: For computer science geeks, a "pre-image of a hash" is more or less the same thing as a "bucket"; for math geeks, it's more or less the same thing as a "variety".]
If they're prepared to spend a realistic level of time on it they could create two of them that hash to the same thing, with a small but effective change to the second.
I dunno - my guess would be that the subspace of all grammatically correct English language sentences [and paragraphs, and chapters/essays/"contracts"] is, for all intents and purposes, infinitesimally small within the space of all ASCII [not to mention Unicode] strings of similar length.
If you doubt that, consider the trouble a really good English language wordsmith [like Yeats, or Frost, or Stevens] has to go to just to force the final words of lines to rhyme within a poem [and yet maintain any sense of cohesion in the result]. And we only seem to get about four or five of those guys every century. To get a second, meaningful, relevant, grammatically correct "contract" within the same hash pre-image as your existing "contract" strikes me as nigh unto impossible [although I'm more than happy to listen to any argument to the contrary].
I guess I'll have to send all my friends an
eBook on CDROM for use as a "one time" pad.
Clearly, SHA-1 is broken. And given the low
cost of clustered computing power, SHA-256
can't be too far behind.
Write the contract in MS Word and use huge uncompressed BMPs for the company logos. You have instantly enough space for subtile changes to create collisions.
Obviously you didn't watch last night's episode of Battlestar Galactica...
For your 38 million you could construct an machine that would create two random messages that hash to the same value. Totally useless.
Not true. The use of that is creating one legitimate document and apply a certification to it, with the authority of a trusted certifier (who would have verified it, because it is legitimate).
At the same time your $38M machine would create a second document, with whatever information you care to put in, which that certifier would never touch. They have the same hash, so you could substitute in the bad document for the real one, and the certification would be entirely indistinguishable from authentic.
While both of the above algorithms are "broken" in the sense that a collision may be found relatively easily, if a signature is done on both hashes, the attacker has to find a message that provides the same MD5 hash and the same SHA-1 hash, which I strongly doubt is possible theoretically.
In other words, if I provide text T and a signature derived from both MD5(T) and SHA1(T), an attacker wil have to find T' such that MD5(T) == MD5(T') AND SHA1(T) == SHA1(T').
Note also that using SHA-1 (or MD5 for that matter) with HMAC is still secure, which means that many protocols using HMAC are OK.
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
Shamir said at RSA that there's a complete 90 page version in existance... I haven't found that one yet.
THE PARENT POST IS CERTAINLY NOT OFFTOPIC.
/banned from moderation during the great rtbl purge
Most moderators are fucking idiots, don't you be.
He was talking about 2000 v. 2048.
1. Just modify every document from someone else without changing it's meaning, and you *should* be fine.
2. This is not a problem. Everyone is allowed to sign as many documents as one wishes with one's own key. You still have the original document that was given to you.
Still, looking for something other than SHA-1 is probably a good idea.
Unixwiz.net Tech Tip: An Illustrated Guide to Cryptographic Hashes
Steve Friedl / Unix Wizard / Microsoft MVP / www.unixwiz.net
The grandparent was speaking more generally of assessing risks, not conflating cryptographic hashes with encryption.
But even so, there are several plausible paths by which a "break" in SHA-1 could lead to compromise of very valuable information (e.g. the $10B merger).
(1) Another respondent pointed out the substitution of a good message for a bad message, where both share a hash. E.g. confidential instructions to a bank manager are guarded by a hash: Only follow these instructions if the hash shows the message has not been altered... but the hash doesn't show that, because the hash algorithm is compromised.
(2) Substitution of public keys in systems using hash components (i.e. all of them). I can forge a message that appears to be signed by someone authorized to have the valuable information. When recipient responds, using MY public key (because it passes for the authorized person's public key), they send me the confidential information.
(3) Monkey wrenching: You know certain messages are being sent concerning the details of the transaction (i.e. the merger). These are encrypted, and you (the attacker) cannot read them. However, knowing the general form of the messages, you flood the channel with one or more false messages, each of them apparently legitimate based on hashes. Participants in the transaction cannot distinguish real from fake messages, and the transaction is complicated, delayed, or cancelled (and you make all the money off your puts/gets/shorts/etc. on the merging companies).
Buy Text Processing in Python
Not true. The use of that is creating one legitimate document and apply a certification to it, with the authority of a trusted certifier (who would have verified it, because it is legitimate).
The is that as soon as you try to place specific content in the message, it becomes *much* harder to find a collision that meets your requirements (especially if there are length requirements too).
Now.... Let me bring up one possible use of these issues. If you store passwords as SHA hashes, and if someone can get a list of hashes, then they can find colliding passwords.
LedgerSMB: Open source Accounting/ERP
Is SHA pronounced 'ess-aych-ay' or 'shah' or what?
Illegal? Samir, This is America.
No, it *raises* the question. "Begging the question" means circular reasoning, e.g. "You can't expect eighteen-year-olds to vote intelligently, because they are too young to have good judgement about the issues".
Yet another part of English butchered by Slashweenies wanting to appear intelligent.
Hail Eris, full of mischief...
E pluribus sanguinem
I've just thought of a varient on 2) that's nasty:
:). Upload modified files that have had keyloggers/spyware added to them, but give the same SHA-1 hash.
Secretly hack a software download site, such as distro mirrors or windows update
Even systems which check the hashes of downloads (or certificate signed ones, maybe), and would install the modified files and be none the wiser; and if the break-in isn't discovered quickly, the software could get pretty widely spread.
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
Well, sorta.
IANAC, but my understanding is you really have to look at protocols and implementations to understand the impact of a potential weakness in an algorithm.
The one way functions used in public key crypto are very expensive to compute, whereas hash functions are relatively cheap. Therefore it is common practice to sign, not the document, which is large, but a hash of the document. If you have a completely reliable hash function, it is for all purposes just as good as signing the document.
So, any digital signature implementation that works this way, and uses sha-1 as the hash function, is potentially crackable and probably shouldn't be used where more than a million dollars is at stake.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
There must be better ways of using your $30+ million dollars.
Totally agree, however in the crypto community (which I cannot claim to be part of) the consensus is generally that if a weakness if found in an algorithm then it begs the question - "what other weaknesses are there".
At least the information in R2 is still intact. I only hope that when the data's analyzed, a weakness can be found. It's not over yet.
"On a scale from 1 to 10, people are stupid"
Either I have a poor understanding of a circular argument or you have a poor example. Your terms to be quite independent of each other.
AFAIK, the canonical (right word choice?) example of a circular argument is "God exists because the Bible tells us so, and we know we can trust the Bible since God wrote it."
* Yes, this "error" in the title is intentional and meant humourously.
Your CPU is not doing anything else, at least do something.
The Cylons tried to frame Gaius Baltar using a doctored photograph.
Also a lot of stuff about Baltar's relationship with God [which probably sailed right over the head of the average /.-er].
3) Would the RIAA/MPAA go halvesies in order to find user/password collisions for some people they suspect of being big players on a P2P network, in order to gain some access to see exactly what they're sharing?
I have no idea if a network vulnerable to this exists, and I realize they couldn't use those findings legally but it could sure put them on the track they're looking for.
No hash algorithm is collision free, and will not give perfect distribution across its bit space. A hash's width of N bits doesn't mean you will get 2^N distinct combinations for 2^N different inputs. It is damn well going to be far, far less than that before a collision occurs.
So, the fact that that a 160-bit digest which ideally produces a collision in 2^80 tries, but 2^69 in reality shouldn't be that shocking.
Bit Torrents use SHA-1, I believe. If the MPAA wants to spend the money, I suppose they could start corrupting downloads now by inserting torrents that pass the SHA-1 hash, but do not actually contain valid data.
If you're already out of high school, then I'm sure DeVry or some other fine institution will be happy to take your money and make you feel better about the situation for a while.
One simple rule for its versus it's
No crypto is powerful, or clever enough (yet!) to be completely unbreakable so its all down to making assumptions:
Wow, you made a statment like that without drawing 10 irrelevant replies about 1-time pads. I've never seen that before!
-a
as soon as you try to place specific content in the message, it becomes *much* harder to find a collision
It's pretty easy to put a whole lot of garbage data in a document. Changing this data wouldn't affect how the document looks, but would of course affect the hash. With this to modify, you could create a collision with the ease mentioned in the article.
If you store passwords as SHA hashes, and if someone can get a list of hashes, then they can find colliding passwords.
No, they can't. You can create a hash collision with a known piece of data, not with a known hash. You would have to know the original password (from which of course the hash is easily computable) to create a password with a colliding hash.
It's pretty easy to put a whole lot of garbage data in a document. Changing this data wouldn't affect how the document looks, but would of course affect the hash. With this to modify, you could create a collision with the ease mentioned in the article.
It is pretty easy to detect a whole lot of seemingly random garbage appended to the end. This "problem" can be solved by simple efforts to detect tampering. You will have to do better than that for a long-term threat.
LedgerSMB: Open source Accounting/ERP
I'm afraid I don't believe it. There's nothing on Netcraft about all this.
Get your own free personal location tracker
Or Would someone be willing to pay a russian hacker $10.000 to create a virus that infects 100.000 zombie PCs and runs the decryption overnight?
I understand that this whole things shows that the SHA-1 algorithm isn't as strong as we thought it was. However, I want to see a real world application of these findings. If for instance you sign a plain text, non-html email, using sha-1, what is the probability that someone could generate another email, non-html, that looked like a real message, that hashed to the same value. It's all well and good to say you can find 2 things that hash to the same value. We knew you could do that. The hard part is getting 2 meaningful messages that hash to the same value. And most of the time, you can't just stick some stuff on the end so nobody will notice, at least not those interested in actually checking if the document is valid.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
- No crypto is powerful, or clever enough (yet!) to be completely unbreakable
Forgive me if I am taking your statement too literally, but there is one method of encryption that is mathematically unbreakable. It is called a "one-time pad".It is conceptually very simple. Generate a Key filled with cryptographic-quality random data that is as long as the plaintext. XOR the plaintext with the key to get the cyphertext. XOR the cyphertext with the key to get the plaintext. Because of the nature of the algorithm, there is absolutely no way to determine the plaintext or Key form the cyphertext.
Key management for a one-time pad is a huge problem, which makes it only appropriate under certain circumstances, and even then a given key can only be used once if you want it to still be considered "secure".
Just to make a minor commentary on the original story... No hash algorithm that produces output smaller than the data it is hashing can be considered collision-free. The trick is making a hash algorithm in which the only way to find a collision is through a brute force attack.
— darco
Now that a weakness has been shown for SHA-1, has the same analysis been done for SHA-256 & 512?
Admittedly, dropping 2^11 values off a 256-bit hash doesn't reduce the time to find a collision that much, but perhaps for the versions other than SHA-1, it's more than 2^11?? I wouldn't want to change algorithms from one that has a known weakness to one which has an even bigger unknown weakness.
So I'll change once the other SHA versions have been shown to be free of this weakness.
Chip H.
They removed TIGER from the OpenPGP specs and now after SHA-1 has been broken they think loud about moving to SHA-2 which is despite all improvement an algorithm of a similar architecture. When the **** will they finally add WHIRLPOOL to OpenPGP!? WHIRPOOL is a NESSIE (EU) approved algorithm, what are they waiting for?
Poor Schneier has been slashdotted, here the mirrordot link to the article: http://mirrordot.org/stories/8d15245fcd484ffea6ab7 38745bfa642/index.html
Obviously. But that's not nearly as funny, is it?
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
For those who complain about the speed of strong digests the VIA Mini-ITX platform with the C5J / C5x? processors from Centaur include the Padlock Engine (as they call it) that implements SHA-1 and 256 on core.
Implementing SHA-256 on core means many times faster performance than a 64bit Itanium on a small 1.4Ghz 10W processor.
2^69? These guys need girlfriends.
Corrupting a BitTorrent transfer would require a preimage attack, where the attacker must determine new (malicious) data with a specific hash. For an ideal hash function, the preimage complexity is 2^(n-1). This research did NOT weaken the preimage complexity of SHA1, so does not affect BT, or HMAC users such as SSL/TLS and IPSec (ESP).
This research instead concerns the birthday attack, where an attacker must (merely) find any two messages with the same hash. For an ideal hash, the birthday complexity is 2^(n/2). This research has shown that SHA1 is far from ideal (colliding in 2^69 attempts instead of 2^80).
The MPAA is still much better off filing lawsuits than going after SHA1.
The passive voice will be used until all are made sorry!
Not to be confused with the "shar" shell archive format.
Linux updates are still using MD5 for hash checksums. It's still udeful by looking for both file size and hash, (and with the two combined, still get a unique, unhacked result). At some point though, people may want to look at SHA-256 or SHA-512. Considering the rate that Linux updates appear (fast and furious as always), it would take someone wanting to break the binary/update more time than it takes for the update to be replaced with a newer one.
trusting NSA. Like Schneier suggested, we need a competition like AES competition to prevent secretive agency like the NSA have a hand in encryption and hashing. "Additionally, algorithms from the NSA are considered a sort of alien technology: they come from a superior race with no explanations. Any successful cryptanalysis against an NSA algorithm is an interesting data point in the eternal question of how good they really are in there."
The findings are that SHA-1 is not collision free
NO hash algorithm which is capable of reducing an arbitrary number of bits to a smaller message digest, is ever going to be collision free when the input is larger than the digest. Ever.
The difficulty is normally in finding a collision, whether through brute force or algorithmically.
It would be possible to design a hash algorithm to have no collisions with input of a length smaller than or equal to the message digest. But that is of pretty limited use when we're talking about lengths like 160 bits.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Creating pseudo-random numbers that hash to the same value != making any arbitrary document hash to the same value.
I agree, however what sort of document are we talking about here?
Plain text? Okay, that would be super difficult to do without padding with gibberish.
A bitmap image of a faxed document? Easy with all those random noise bits.
A document which allows and has embedded images? Easy, make the required changes within the least significant bits of the images.
etc etc etc.
I will stick to signing plain text only thank you very much.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Too bad I just put all my moderator points elsewhere. That was hilarious, and so true.
Actually, it only raises the question. Unless, of course, you want to destroy the distinct meaning of that phrase.
To be precise, one hole has at least two pigeons.
To be precise, at least one hole has at least two pigeons.
Unless there's a hawk.
paintball
Write a macro:
At that point, all you have to do is look for a message that modifies ANY of the characters of $TestBlock while keeping the SHA1 digest intact. You can encode more specific data by specifying multiple such blocks. . If you know what you're doing, you could easily hide this inside a PDF (which is essentially a postscript program) or a word macro.For the most part, something that takes millions of dollars of hardware to exploit doesn't look like such a big deal, but once in a while we find ourselves caught in the middle of affairs much bigger than our piddly little lives, and knowing that someone with the resources of Bill Gates couldn't mount a man-in-the-middle attack on your PGP communications may be more important than you think in the moment.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
What's grosser than gross? Ten dead babies in one trash can.
What's grosser than that? One dead baby in ten trash cans.
No, they can't. You can create a hash collision with a known piece of data, not with a known hash. You would have to know the original password (from which of course the hash is easily computable) to create a password with a colliding hash.
Wait, explain that again?
The post to which you reply is saying that if a system stores the hashes of passwords instead of the passwords themselves (many places on the net do this - some with MD5, many with SHA1) so that if my password is "pants" the system will hash that when I sign up and then put that in the database.
So then when I login in the future, it hashes my password and compares that to what it has in the database, and if the two hashes are the same, it assumes that it is my password and lets me in.
So that poster you responded to was saying that if we could get that list, we would have the hash. Then all we would need to do is try combinations of characters through the hash to get a collision on the target hash (the "pants" hash in this case).
If it turns out that "balls" makes the same hash that "pants" makes, then they could type in "balls" while logging in as me and it would produce the same hash as "pants" and the system would think that they are me.
They would never need to know what the original password is, and they would never need to care - they can get in due to the collision.
There are some odd things afoot now, in the Villa Straylight.
I wonder what the OpenPGP response will be. The spec (http://www.ietf.org/rfc/rfc2440.txt; see section 9.4) doesn't describe these algorithms.
It doesn't have to be random garbage at the end. For example, say you have an image in the document without any sort of compression. Changing a bit here or there will affect, perhaps, the shade of a few colors, but it's possible to have a large amount of modifiable data using that, while the content remains the same. And all the data is used (in displaying the image).
Yes, but the point (well, one of the points) of SHA1 is that it's really fucking hard to find a combination of characters that produces the same hash as known hash. This is not what the process described in the article affects; this is just as hard as it has always been. What the process in the article affects is calculating colliding hashes from known pieces of data. It takes a very long time, given the hash of pants, to find something with the same hash - it now takes less time than it was originally thought to calculate, given "pants", a piece of data that gives an identical hash.
Oh excellent, now I see what was being said. I figured I must have missed something.
Thank you!
(this is where at least one person needs to give me a hard time for not reading enough of the article - and for good reason)
There are some odd things afoot now, in the Villa Straylight.