Slashdot Mirror
More on Newly Broken SHA-1
AnonymousStudent writes "Details are out about the reported broken SHA-1 hash function. The findings are that SHA-1 is not collision free and can be broken in 2^69 attempts instead of 2^80. This is about 2000 times faster. With todays computing power and Moores Law, a SHA-1 hash does not last too long. Using a modified DES Cracker, for the small sum of up to $38M, SHA-1 can be broken in 56 hours, with current computing power. In 18 months, the cost should go down by half. Jon Callas, PGP's CTO, put it best: 'It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off.' As Schneier suggests, 'It's time for us all to migrate away from SHA-1.' Alternatives include SHA-256 and SHA-512."
2^69 attempts instead of 2^80 seems like only 11 times faster, then again, thats just me.
2^80 = 2^11 * 2^69 = 2048 * 2^69
The new SHA-1 break only affects very carefully constructed messages. This means that it is completely useless for an attacker impersonating an existing message, unless that message was purposely constructed to be attackable. The attack is only useful if the attacker creates both messages, and the attacker can choose the exact format of both messages.
- Sam Ruby
"The findings are that SHA-1 is not collision free"
Since when is it possible to have a collision free hash when the hashed data has more possibile bit combinations than the hash itself?
Genuine question.
SHA-1? pshhhh. They should be using SHA+1. Thats 2 more!
Jesus Christ. In the time it took to write my post (all of 30 seconds), five other people replied to you.
Just goes to show, the quickest and most effective way to get information on the net is to post something that is wrong.
The findings are that SHA-1 is not collision free and can be broken in 2^69 attempts instead of 2^80.
Well, doh - it's a hash you silly, there will always be collisions.
Anyway, it's nothing to panic about really. The ammount of computer power needed to crack it is still massive. Unless you're investigated by the NSA, SHA-1 will be fine for quite a while.
I bet $50 that a hard drive manufacturer came up with that!
They already exist. RIPEMD-160 is tried and tested and seems secure, or at the more experimental stage there's Whirlpool.
I am trolling
Totally agree, however in the crypto community (which I cannot claim to be part of) the consensus is generally that if a weakness if found in an algorithm then it begs the question - "what other weaknesses are there".
Once an algorithms strength is in doubt by the presence of even one weakness people feel very reluctant to trust it.
Its probably up to everyone to see how this affects their own circumstances. Crypto is always about Knowing your enemy (the paranoia has now kicked in !). When picking a scheme one always makes a number of assumptions - Who are you keeping the information hidden from, what resources do they have, how badly do they want it.
No crypto is powerful, or clever enough (yet!) to be completely unbreakable so its all down to making assumptions:
1)
Would someone be willing to pay $38 million (assuming this is correct) to get my credit card number - probably not.
2)
Would someone be willing to pay $38 million to get insider info on a merger between two banks - each worth over $10 billion.
What unsettles people is that their previous assumptions on SHA-1 are now invalid.
[ Monday is a terrible way to spend one seventh of your life. ]
So someone with $36 million to throw around can, in 56 hours, produce two random messages with the same SHA-1.
::cough::
Great.
So, presumably, this devious (and very rich) hacker might produce the following two messages:
"bma p3 rjphta,-9p.u2#H50982u.yha,cp. hxasnip"
and
"BUEQXBBX2 jma93#9g5xbaida htuEXOAhkra1255,y"
And then, of course, he'd somehow trick me into signing "bma p3 rjphta,-9p.u2#H50982u.yha,cp. hxasnip". Because I sign random pieces of gibberish all the time, if asked. And then, having done this, he could go around claiming that I had actually signed "BUEQXBBX2 jma93#9g5xbaida htuEXOAhkra1255,y".
OH NO!
Sure. Moving to SHA-256 is all well and good. But, frankly, I think these reports are horribly overblown. Crypto geeks are jumping up and down with their hair on fire (just like George Tenet!) because their perfect algorithm is slighly less perfect in a way that doesn't have any real practical meaning in most situations.
Meanwhile, there are real security problems out there in the form of poorly written software and poorly administered systems. Please, please do not spend your time rewriting your software to use SHA-256 when you could be patching real security holes. Leave SHA-256 until you have nothing better to do.
Yes, but say someone creates a document (such as a contract) for you to digitally sign.
If they're prepared to spend a realistic level of time on it they could create two of them that hash to the same thing, with a small but effective change to the second.
You sign the first with SHA-1, but your signature also matches on the second, putting you in a weak position when you try and claim "I didn't sign _that_!"
The time/money requirements to do this aren't really practical yet, but they will be soon.
As the sub says, time to start shifting off SHA-1.
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
The attack has nothing to do with trying to discover contents based on the hash, it has to do with generating intentional collisions.
Attacks on hashes have absolutely nothing to do with discovering any kind of content, they have to do with the reliability of digital signatures, key exchange, data integrity, authentication etc.
As for any kind of cryptography being sufficient...no, not really. Consider CSS...the encryption used on DVDs is no longer considered any kind of barrier to access.
Similarly publicly visible hashes in password files on Unix systems haven't been considered secure for over 10 years, due to the simplicity and success rate of dictionary attacks (plus more recently, brute force is becoming increasingly easy).
The concern is not so much that the method described in this break is feasible on today's hardware, or even that this method will get cheaper and cheaper as hardware gets faster. The BIG concern is that this method provides insight in to the SHA-1 in general, and will be used by others to come up with more efficient breaks or more egregious flaws.
All crypto algorithms age, and even if the news of SHA-1's death is somewhat dramaticised by people who make their living from security work, it's important to see _all_ crypto algorithms as temporary shims.
That is why anyone developing new protocols and products that rely on security should use SASL, which abstracts the crypto layers in such a way that it's easy to change them over time.
SASL is an IETF standard and there are open source implementations like Cyrus.
Sig for sale or rent. One previous user. Inquire within.
Having worked in the crypto field, I thought I would take some time to clear up a few misconceptions. First off, the results of this paper in no way compromise the security of email or other data encrypted with algorithms that use this hash. As an extension of Moore's law prevails, these characteristics of any hash function are bound to be discovered. However, with that said, it is important to realize that this new discovery in mathematics allows us to move forward with hash technology to develop better algorithms.
Hash algorithms are one of the least understood principles in cryptography. The established mathematics around them is contemporarily vague, but under constant research. Therefore, anytime a new publication illustrates a flaw, technique, weakness, etc. we should be pleased that our understanding has grown and that a new, more advanced algorithm can be created with the knowledge gained.
This discovery is a not something to panic about, but rather an achievement that will bring about newer, stronger encryption technology.
Apologies, $80k per problem.
I presume that finding two colliding contracts both written in a meaningful and legally binding language is harder than finding a simple collision.
Write the contract in MS Word and use huge uncompressed BMPs for the company logos. You have instantly enough space for subtile changes to create collisions.
2)
Would someone be willing to pay $38 million to get insider info on a merger between two banks - each worth over $10 billion.
Except SHA-1 isn't an encryption scheme, it's a hashing algorithm. For your 38 million you could construct an machine that would create two random messages that hash to the same value. Totally useless. Really what you want to do is find a message that hashes to the same value of a specific message. Or even better you'd want to create an arbitrary message, tack on some header or footer and have that hash to some chosen hash.
If I understand message signing and digital signatures, an attacker wants to make it look like they're the intended target. Say I send a signed message to my bank saying "please transfer $1,000,000 to account 123456". An attacker wants to generate a message like "please transfer $1,000,000 to account -attacker account number- that will hash to the same value, so he/she can use the same signed digital signature. The 38 million dollar device won't be able to do that in 56 hours, I doubt you could do it in 56 years (and I highly suspect it would take MUCH MUCH longer).
AccountKiller
It takes roughly 56 hours to go from a message of which hashes to 0xAABBCCDD11223344, to a message of whichh also hashes to 0xAABBCCDD11223344, which means that it would have an identical signature, meaning that the original signature would validate the fake message.
Personally its not the huge end-of-the-world scenario everyone thinks it is. It would probably take tens of thousands of years for this machine to output a well-formatted message that had a hash collision and could not be trivially discarded as gibberish.
If I have been able to see further than others, it is because I bought a pair of binoculars.