Slashdot Mirror
PGP Moving To Stronger SHA Algorithms
PGP Corp. is moving to a stronger SHA Algorithm (SHA-256 and SHA-512) as consequence of the research conducted by the team at Shandong University in China who broke the SHA-1 algorithm. (See this earlier story for more information on the SHA-1 vulnerability.)
They're just trying to avoid the problem, not solve it. Moving to SHA-512 is not a solution. :/
I think I'll wait for the SHA-65000 algorithm instead.. it'll be harder to crack.
... who broke the SHA-1 algorithm.
They did not break it. They just found a way to reduce the number of trials needed to find a collision.
wouldn't the problem still exist but the odds of cracking it would be so huge it wouldn't be worth it?
right? correct me if im wrong.
Is there a reason to wait until someone breaks the existing algorithm before moving to a stronger one?
It seems to me that if you start working on implementing the stronger ones BEFORE your existing one is broken?
An ounce of prevention...
but why not take a hash of a hash ?
if its broken once - all you get is another hash and with no way of telling if you`ve cracked it or not, its useless
In other news, advertising on Slashdot is now free: just submit your ad as a story, and some editor will post it without even reading it.
quidquid latine dictum sit altum videtur.
Who needs fancy things like PGP? I encrypt all my sensitive data in ROT-13, and it hasn't been cracked yet!
Le français vous intéresse?
Would current customers have to buy PGP again? I see the problem as a bug not an "old version" weakness.
Will GPG follow it? should they do it?
DNA in your Linux: DNALinux
PGP, not PHP. PHP = scripting language, commonly used on Web sites. PGP = encryption program.
nicely done! Bravo!
There's a discussion about this very subject going on on the IMC's discussion list for OpenPGP. From reading the posts, particularly the ones by PGP's Jon Callas, I don't think that PGP has officially decided to implement this change just yet. (On the list, the thread titled "SHA-1 broken" is the one you will want to follow.)
But then, I could have missed something.
This article is of course posted by timothy who also managed to post 2 dupes within the last 24 hours.
http://lists.gnupg.org/pipermail/gnupg-users/2005- February/024862.html
...atom
Atom Smasher atom at smasher.org
Wed Feb 16 21:56:25 CET 2005
Hash: SHA256
this should help put the (alleged until proven otherwise) SHA-1 break into
perspective. thanks to Sascha Kiefer for giving me the idea.
let's say that unbroken SHA-1 represents a 100 meter (328 ft) wall. if a
break allows a collision to be found in merely 2^69 operations (on
average), that would mean the wall has crumbled to 4.9 cm (1.9 in) tall.
that's broken!!
OTOH, let's say that unbroken MD5 represents a 100 meter (328 ft) wall.
comparing unbroken MD5 to broken SHA-1 means the wall would actually grow
from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall. SHA-1, even if
it's broken enough to find a collision in 2^69 operations (on average), is
still stronger than MD5 was ever meant to be.
again, using unbroken MD5 as our reference of a 100 meter (328 ft) wall,
unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was
intended to be incredibly stronger than MD5.
- --
(PHPBBQ? *mentally runs sed s/PHP/PGP/g on post*)
I would still rather see people encrypt all their data than to send (even potentially) sensitive data in plain text. Sure, the best option would be educating people on what is really important, and thus worth encrypting, but a lot of people can't seem to grasp the concept of privacy/security. I know people who would submit a credit card number to some shady website over plain HTTP, without even looking on the page for a privacy policy.
Granted, it is borderline ridiculous to encrypt anything and everything, but it's better than not encrypting anything at all and hoping nobody's looking.
Bears don't normally eat things that talk and move backwards.
Ok you're a fucking moron.
... so, that should read "I'm not for encryption at all!"? How are you "All for encryption" if you think that having the technology available is a bad thing?
As for "There's no good excuse... doing so wastes the time of others"... which others? Sorry, but I do have problems with the possibility of an automated censor reading everybody's mail, and if having some crypto there wastes their time then that's fine by me. If you're talking about wasting the time of my family and friends, well, that's another matter. The ones that care for it will use it. The ones that don't, won't.
And... err... PHP? Do you mean PGP? Sure, it might be interpreted and a little weird on the syntax front ("->" ?!?!?), but I don't think it's a major threat to national security. Unless you're talking about SQL injection attacks, of course.
IANACE too (I am not a Crypto Expert ) But, it may happen that doubling the hasing you are making it much weaker. I am not sure but my intuition tells me that it can be the case.
Hey dumb ass.. he was *obviously* joking. There is noone on this planet that dumb (that would be able to manipulate a keyboard/mouse well enough to get to Slashdot).
Why not use two hashes? It's exponentially harder to find a collision that fits for two hashes, isn't it?
-b0lt
got sig?
This appears to be a bold move.
How the hell was this moded informative?
I realize that this means that 2 messages can be generated with the same hash. However, does this really signify such a big weakness. The person generating the hashes has no control over the content of either of the messages, nor do they have control over what the resulting hash will be. So, you can, in a reasonable amount of time, generate 2 arbitrary messages with the same, yet still arbitrary hash. So what. Unless you can generate meaningful messages with identical hashes, you don't really accomplish anything through using this technique.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
So what do you guys wanna bet that at least a few of these researchers have their phones tapped at this point?
I can't think of any intelligence agency that that wouldn't like a few days head start with any more findings these guys come up with.
I'm not really headed anywhere specfic with this comment, other than getting this thought out there. People have been bugged to gain access to much less exciting information than this.
Life is too short to proofread.
I propose a name change. Instead of "Secure Hash Algorithm", we should name it "Secure is Not this Hash Algorithm" or SNHA. That name would be more accurate.
- R. Stallman
SHA-1 Hash Algorithm and Source Code
Creative Demolition
Adding to what you've said, if the cumbled SHA-1 wall is 4.9 cm (1.9 in) tall, our current average reach of scaling the wall is still a few nano metres.
It appears as if that 4.9 cm wall is very scalable, but it still isn't easily scalable.
Quoting Bruce Schneier's quote of what Jon Callas, PGP's CTO said: "It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off."
Banu
think about it, it's simple yet totally effective
What about S/MIME?
According to the article,
... addressed the company's design philosophy in a September 2004 ... article entitled "Much ado about hash functions" . At the same time, PGP engineers began implementing a shift from SHA-1 to the stronger algorithms (SHA-256 and SHA-512)
Jon Callas
So they were actually ahead of things, not reacting to the break.
Interesting????!
if that was a joke, that was not funny... I also really thought this guy was THAT dumb
with every additonal hash there you give more and more information about the original key => it makes it easier to find attacks combining the info from two results from different algorithms
Churhill said, "Nothing is so exhilarating in life as to be shot at with no result", not "there's no greater thrill in life than being shot at and missed."
American paraphrasing of Churchill is no thrill to me.
Or... they could do a Microsoft and pretend that the vulnerability doesn't exist until after a patch has been released.
Hmmm.... methinks that perhaps moving to SHA-512 in the meantime might be a safer alternative.
Indeed. Please stop encrypting random crap, we have enough of that in our hands already. Next thing you know, some random would-be terrorist will be claimig illegal decryption of family mail under DMCA and ye'd REALLY hate to explicitly ammend the DMCA to read "US Government Intelligence Services excepted"
Best Regards,
Anonymous NSA Spokesman.
PS. also, please use ROT-1 consistently, it's RHR not PHP
Perl scripts, on the other hand, are clearly far too illegible to be considered plaintext.
English is easier said than done.
This reminds me of the DRM debate of about a month ago here on SlashDot. I took the stance that DRM would be broken just like any of the other algorithms that anyone has come up with. I was told by one person that DRM could never be broken. Well, when SHA-0 came along they thought it could never be broken either. Then SHA-1, now SHA-256, and later it will be SHA-512. As someone else pointed out - it is just a matter of how much computing power do you want to put behind your attempt to break an encryption.
But here's a scarey thought for you: The new Playstation 3 is packed with at least three CELL CPUs and a maximum of eight. The PS3 is supposed to be an order of magnitude faster than any currently existing microcomputer. It is, therefore, a supercomputer in its own right. But that's not the scarey part. The scarey part is that the PS3 runs Linux, can be programmed just like a regular computer, and is stackable. At SIGGRAPH 2001 Sony displayed a box you could buy where you could stack up to ten PS2s and they would act like a networked supercomputer. They had a really neat display of a girl in a space station with the earth and stars outside of the window. One PS2 controlled the earth simulation and stars. One did the interior of the space station. One did the hair (so they could do individual hairs), one did the body (breathing, texture, etc...), one for facial expressions, and the rest did arms, hands, legs, feet, and some special effects (like the weightlessness). All of these functions can be done on one PS3.
Ok, so if you can buy a PS3 for an estimated cost of $350.00 USD, how many PS3s would it take to break SHA-512? DRM? Or any other encryption method? Remember that they are 64bit computers also so they can move the data around a lot faster. And - they may also be able to handle many GIGABYTES of memory (which means they will be able to break codes even faster).
We basically are building our own nightmare. We want the faster computers so we can do things faster but that means those who are destructive are also getting the same toys to play with to make our lives miserable.
Someone put a black hole in my pocket and now I'm broke.
had to be said ......
I am the Barber of Seville.
My understanding of the 'break' is simple: given a hash, we can now find another 'message' with the same hash, not by 2^80 brute force guesses, but by 2^69 cleverer tries, a factor of 2000 improvement, and potentially bringing this attack into the realm of computational feasibility.
:). Of course as soon as someone can insert something into the original data, code signing is completely broken.
So what?
Until we can find a 'meaningful' message with the same hash, or until we can remove data from or add data to the original message, and preserve the hash, we can sleep easy - except the file-sharers
But please, somebody explain to me how we're vulnerable. You can take my message and - if you try very very hard - you can create a garbage message that you could claim I signed. And that's all.
BTW, I'm well aware that applying one hashing mechanism to a message then another will not help, but why not apply two in parallel? The message would have two hashes, which isn't too much of a burden, and barely increaes the message length. Sounds good to me.
Look, we all know that PHP is broken and a huge waste of time.
PGP on the other hand is a different matter.
"Orthodoxy means not thinking--not needing to think. Orthodoxy is unconsciousness." --Eric Blair
You are NOT trying to ensure that there is only one item per pigeonhole, although this is a frequent side effect of having 2^wow pigeon holes. If there are more pigeonholes than atoms in the universe, then collisions will be rare.
But the real concern is not collisions, but predicting and/or causing collisions. If I told you a hash had several collisions, that information is useless for most crypto uses unless you can find them.
So the pigeonhole issue is only a concern for DBA's who might use a hash as a primary key. For crypto, the issue is different.
To forestall the obvious question about GnuPG compatibility, GnuPG has had SHA-256, SHA-384, and SHA-512 since version 1.2.2 (2003-05-01) so it will interoperate nicely with the new PGP.
Incidentally, despite what the article implies, PGP has actually had SHA-256 support for a while now. It's not exposed in the GUI, but if you use GnuPG to generate a SHA-256 message, PGP can handle it.
In terms of what the SHA-1 "break" means, it is certainly time to start migrating to something stronger, but it is not time to panic and start revoking keys. Think of this as the MD5 situation in the late 1990s: a flaw was found, people migrated away, and when the serious MD5 crack was found last year, most people had already stopped using it.
The sky isn't falling. It's just a wake up call to start moving to something better.
If SHA-1 was a 100km wall, then now it is only 49m tall. You're still not going to scale it.
The use of wall heights where one is much taller than a person and one is much smaller is very prejudicial.
Also, note that all this talk of "breaks' is only true if you are the sender of the original message. This is a subsceptibility to a birthday attack, not a recipients' break.
FYI, alternate hashes which were in RFC2440, such as TIGER, and HAVAL are
no more, and the reason for their removal was done for the sake of "keeping things simple", while at the same time all sorts of bells and whistles have been added to the aforementioned RFC to make it's implementation harder for any newcomer.
TIGER was removed because PGP Inc, never implemented it in their products, while HAVAL was removed because none of the implementers who mattered had it, and it goes without saying that if PGP Inc, has not implemented an algo, be it hash, symmetric..., then it will be axed or never make it to the RFC.
The suite of hash, and symmetric algorithms in RFC2440 are deficient, they ought to be more diverse, so that if one is broken one may fall back on another which has yet to be broken. Sadly, that is not the case, i.e. there are problems with AES, and it is only a matter of time before... There is another symmetric encryption algo out there which is immune to this problem(it was one of the AES candidates), and it has yet to make it to the rfc, reason given, other than above, it's slow!(it's a hell of a lot faster than any of the pre AES algos)
The title of this article is misleading, in that it proclaims "moving to a stronger SHA Algorithm (SHA-256 and SHA-512)", while this hash algorithm is newcomers in the zoo, and it has yet to stand the test of time...
To conclude, I wouldn't worry about the above, however, I would very much worry about RFC2440, as regardless of the algo suite, it may be deemed broken in many ways.
HTH
Best Regards
IRFe scrutinized
Just wait till modern processors get the ability to process data using Quantum mechanics. Processors can already do FP, Vector...and maybe soon Quantum. At least, untill a full scale Quantum processor is fabricated.
Life is not for the lazy.
Seems to me that what this break means, regardless of the work needed to use the break is that SHA-1 has been proven to be less secure than predicted, and therefore it is not as well-understood as previously thought.
I'd rather have something that is theoretically sound and reasonably tested, than something that has been shown to be theoretically unsound.
What this much-publicised break offers is a faster-than-brute-force way to create 2 messages whose hash is identical, but not to construct a message with a predetermined hash (which is what you'd need to do if you wanted to alter the content of an existing PGP-signed document).
The best such attack against SHA1 known to date, Kelsey & Schneier (Nov 2004, cf. http://eprint.iacr.org/2004/304), requires 2**106 operations; way beyond our reach today.
if you can view the SHA-1 encoded passwords
then you already own the system, so there is no point
Someone please fill me in; What are the advances in breaking a security algorithm if you arent a bad guy trying to steal something?
Can someone please post how to update GPG key preferences to make SHA256 my preferred hasing algorithm? I know I've done it before, but I just can't figure out the preference string this time. Thank you.
"Since then, the USA's encyrption policy has been undermined from so-called allies such as Canada and Mexico such that these technologies are in the public domain and commonly used in communicating things that threaten our national security."
The US's encryption policy has been undermined because it's stupid. Canada and Mexico are only two of the dozens of countries that agree with my assessment.
Even if the USA were the only source of strong crypto (Not the case. Rijndael aka AES comes from Belgium.) or every other country agreed with the American position (ha!), it only takes one leak for the bad guys to get the good cyphers.
One leak. When every computer has a binary implementation that can be reverse engineered. When open source software has the source code available for all to see. Even if nobody sold/distributed the good versions outside of the US, it would still be trivial to get a good version out.
I rarely criticize things I don't care about.
Are you familiar with the Wassenaar agreement? If you aren't just blowing smoke, it would be nice to see a few links to back up what you are saying.
But the U.S. government wants to hinder adoption, not keep the bad guys from getting good cyphers.
It's still a brain dead policy, but their behavior makes more sense viewed in this light.
A lot of dumb people have worked for the DoD and NASA.
This is true.
That doesn't mean you know anything about mathematics or crypto.
This is not.
This article was about consequences of finding a weakness in SHA-1.
This is true.
You started spouting off about how "computing power" is what is needed to break crypto.
This is true.
You said something silly about all crypto being broken with more computing power
This is false. Or would you like to go buy, from a junk dealer, an old Apple ][+ and try to break SHA-1? Can't do it? Oh, but I thought you said more computing power isn't needed. Maybe I'm mistaken, but these people didn't use toliet paper to figure this stuff out. They tried various algorithms on their nice supercomputer. Which is where the PS3 came in. Only you really failed to think about it in that light.
Since you were interested enough to reply, I'll elaborate. I didn't in my previous post because I just wanted you modded down--you really were posting just plain wrong information and saying it confidently.
PLEASE! The pity ploy! Gack! I think I'm going to get sick.
First of all, increased computing power is a given.
Oh my god! You agreed with me! And after bashing me so terribly before about saying this same thing! Oh still my beating heart!
But SHA-1 was broken by finding a mathematical way to find colisions with many orders of magnitude less computing power (perhaps I should say "fewer" since computing power is discrete?).
Oh my god! You agree with me again! I can't believe it! They used a mathematical algorithm to do this! Oh! This is too funny!
Secondly, your remark about increased computing power breaking all crypto is absurd.
Now wait! First you agree with me then you disagree with yourself! Oh god! This is too funny! I'm sorry! I just can't go on with a conversation with someone who can't even get stay with one stance! Either you agree with me or you don't!
Tell you what! You go ahead and say whatever you want. Just, if everyone will mod this person into flamebait city I'd appreciate it. Cause I have a lot of better things to do with my time than to go through such obviously stupid reasoning.
Later Lord Gator!
Someone put a black hole in my pocket and now I'm broke.
Those are cute quips but you didn't back them up with anything. Your statement about me contridicting myself further shows you don't understand the subject matter. And it looks like I have to reiterate: growing computing power, in the form of playstations or whatever other crap you come up with, would never have had an effect on SHA-1 as it is used in public key crypto. So don't spread disinformation. And your call for me to be modded down is futile. This story is way off the front page. You are only talking to me now. Not that I would have cared. I've been at the karma cap since before the cap existed. I'm sorry I was so harsh on you, but you were just wrong.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Well, it does say something about the state of the world when someone *can* believe that that person was telling the truth... there are enough crazy Americans that something like this could actually happen.
Ok, I know I'm going to hate myself for even lending a modicum of credence to your message but since this message was a bit more subdued in tone as well as a bit more reasonable I felt I should answer.
Those are cute quips but you didn't back them up with anything.
Neither did you. All you did was to state your opinions (as I have) on this subject.
Your statement about me contridicting myself further shows you don't understand the subject matter.
First, this is a jibe or slur. Whichever way you wish to take it and shows that instead of being able to stick to the subject matter you must resort to junvenile behavior in order to attempt to degrade your opponent rather than just stick to the subject matter and present facts, figures, and links to back up your stance.
Note: When you knowingly first said I was right about computing power and then I was wrong about computing power you did a flip flop on your stance. This is also known as "talking out of both sides of your mouth", "being two faced", and so on. (And here I must pause. Because I already know that you will take the above as an insult - which it is not. It is simply a statement about a state of being. Children will take it as a personal insult and some adults will do so as well. But it is not. Which is why I have placed the colloquialisms in double quotes.)
Jumping from one side of an argument to the other and back again makes people think you do not know what you are talking about. Further, my stating your jumping back and forth has absolutely nothing to do with the subject matter and therefore your logic is terribly flawed. It is like saying I know nothing about Australia because radeon gas inflitrates a person's house.
If you really had any kind of point to make in this matter, then you should have just said so. Like: The reason I said you were right and then wrong was becasue of X. Instead, you have to resort to childish, immature jabs in an attempt to goad me. *YAWN* Boring.
And it looks like I have to reiterate: growing computing power, in the form of playstations or whatever other crap you come up with, would never have had an effect on SHA-1 as it is used in public key crypto.
So again we start with a put-down which just makes be go bleck. Why even bother trying to hold a conversation with someone who can't do anything but try to bully you into submission.
So don't spread disinformation.
So look who's talking? Turn the mirror around and ask if you are helping or hurting? Don't see any help here.
And your call for me to be modded down is futile.
More boorish statements. *YAWN* Listen, you asked that I be mod'ed down as a Troll so I requested you be mod'ed down as flamebait. My call is just as stupid as yours was.
This story is way off the front page.
So what? If you look back just a few short messages you'll see I was mod'ed Interesting. So someone must be reading.
You are only talking to me now. Not that I would have cared.
If you don't care then why bring it up in the first place? Because you really do care.
I've been at the karma cap since before the cap existed.
Ok - so what? On SlashDot, once you reach a certain point it is almost impossible to do back down unless: 1)You really try hard at it, or 2)One of the SlashDot people reset you back down. Otherwise, by the very nature of posting your karma increases. But that is another subject for another day.
I'm sorry I was so harsh on you, but you were just wrong.
That is your stance. But I beg to differ. I know I am not wrong and you can talk until you are blue in the face. It will make no difference. Perhaps you should re-read the original posting and take it as it was meant - an opinion/general statement and not cold hard facts.
Forwards:
I do not mind being wrong - when I am wrong. I
Someone put a black hole in my pocket and now I'm broke.
Opinions? Chaining together playstations... or any other form of parallel processing, is not going to break hashes like SHA-1. That's not an opinion. That's a fact. And that's the fact you had wrong. Also, you have an annoying habit of breaking apart thoughts in your replies so thoroughly that some of their meanings are lost. That is very annoying. But as for saying someone modded you as insightful--that is why I made my original response to your message. It "seemed" to make sense to at least one moderator. But it was wrong in fact, not in opinion. I did not want it to continue being modded up by moderators who don't understand the material because that lends credibility to an erroneous statement. The fact that my statement was later modded up and yours was modded down after my post was made is interesting. It is my opinion that this because my post was successful in drawing attention to the multiple factual errors in your post.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Chaining together playstations... or any other form of parallel processing, is not going to break hashes like SHA-1. That's not an opinion.
Ok, so the fact that they:
1. Used a super computer to test their algorithms on.
2. That because most super computers operate in parallel they were able to either break the problem up into multiple parts or were able to test against multiple situations at the same time.
3. The super computer they used is probably doing terraflops worth of computations on this problem whereas older computers can't even do a terraflop.
4. That, because of their tests they were able to circumvent the N! problem and came up with a solution which only entailed 269 steps on their super computer. (And we still do not know exactly how many substeps or iterations are required in their program to reach an unencrypted state. We only know it took them a certain number of steps in their program.)
So I don't get it. The article specifically stated that they were using a super computing facility to do their work. We also know that super computers now-a-days are not one CPU but are multiple CPUs (like the recently talked about supercomputers purchased from IBM, HP, and even Apple Computer) strung together. That these CPUs work in parallel. They have a special OS and compilers which can break apart a program into individual chunks which are then fed to the multiple CPUs at the same time.
So given all of the above facts (items #1-4). And knowing (using common sense) that the breaking of SHA-1 would have been impossible on old, slower systems. You are still going to insist on saying they didn't use a super computer to break SHA-1? And knowing that all of today's super computers are really a large set of cpus stacked one against the other and that they run in parallel to process the given equations - you are still going to say it makes no difference?
If so, then please illuminate me with just how they went about breaking SHA-1. And please! Do not insult me by saying they did it by hand. Anyone who has had anything to do with encryption knows that you could not do this by hand. So tell me - how did they break SHA-1? And you better not try to tell me they used a computer after ranting and raving about how a computer can't help you solve this problem.
As for your post being modded up - I have not seen that. However, as you stated in your last post - we are fairly far down the ladder now and not many people will see anything we post to each other. Still, I do have two mod'ed messages. Both originally were mod'ed up and both are still positively mod'd. If, when you post something high on the list, I were to yell for people to mod you down and stated that your message was erroneous. Do you not think that some people might, as a knee-jerk reaction, just mod you down without really thinking for themselves as well?
Someone put a black hole in my pocket and now I'm broke.