Slashdot Mirror

← Back to Stories (view on slashdot.org)

PGP Moving To Stronger SHA Algorithms

Posted by timothy on from the 511-upmanship dept.

PGP Corp. is moving to a stronger SHA Algorithm (SHA-256 and SHA-512) as consequence of the research conducted by the team at Shandong University in China who broke the SHA-1 algorithm. (See this earlier story for more information on the SHA-1 vulnerability.)

23 of 247 comments (clear)

  1. Come on... by debilo · · Score: 4, Informative

    ... who broke the SHA-1 algorithm.

    They did not break it. They just found a way to reduce the number of trials needed to find a collision.

    1. Re:Come on... by octaene · · Score: 4, Informative

      Finally, someone who has a clue! no parity is absolutely right. All they did was provide a hash that produces 1 collision as a proof that they have an algorithm that makes finding collisions easier. This doesn't mean we all need to rush out and change our public/private keys...

    2. Re:Come on... by menscher · · Score: 4, Informative
      All they did was provide a hash that produces 1 collision

      No, they didn't. No hash has been produced. Only a claim that they can do it in 2^69 operations. The collisions they gave were for SHA-0 and for a reduced-round version (58 rounds instead of 80) of SHA-1. Unless someone can extend the break (which is likely) then it's still quite secure.

    3. Re:Come on... by kiltedtaco · · Score: 4, Informative

      MD5 and SHA-1 are both iterated hashes. They work by take one block, hash it, then use the output from that round as the IV for hashing the next. This allows a curious sort of failure:

      The attack on MD5 worked independently from the initial state of the cipher, i.e., any arbitrary message could be prepended to the calculated collision, and the hashes would still collide. It doesn't matter what the text before the discovered collision block is. It could be anything (plus padding to make it to a multiple of the block length.)

      This makes the break a much more serious problem than simply finding two completely random messages that happen to have the same hash. It's only a guess at the moment, but I assume the SHA-1 attack will work the same way. The brief findings mentioned using the same sort of attack, hopefully the results will be similar.

      (Side note 1: The term used by every cryptographer i've ever encountered is "break". Feel free to use what you want, but don't claim that "break" is for some reason incorrect. If you want to argue about it, see my prior post on "Stealing" vs. "Copyright Infringement.")

      (Side note 2: Even if one was going to brute force SHA-1, you would still get the same failure mode as described. When trying all the possible hashes, you would simply use the output of SHA1 of the nefarious file as the IV in the brute-force attack. Iterated hashes, in my very uneducated opinion, are on their way out. What they will be replaced with, however, I have no idea. )

    4. Re:Come on... by uhoreg · · Score: 3, Informative

      All hash algorithms are vulnerable to this if you don't use a salt (or too small of a salt). UNIX-like OSes have been using salt for a very long time (if not forever). See, for example, the crypt(3) man page. If you use a large enough salt, precomputed hash databases are pretty much useless.

      --

      To get something done, a committee should consist of no more than three persons, two of them absent.

    5. Re:Come on... by jallen02 · · Score: 2, Informative

      According to Bruce Schneier a machine can be built that can do it in 56 hours.

      Jeremy

    6. Re:Come on... by kiltedtaco · · Score: 2, Informative

      I re-read the paper, and realize there is more than one way to interpret a part of it. I'm looking, but until then don't trust what I just posted. I may be forced to mod myself -5 misread the fine paper.

  2. Re:i'm no crypto expert... by Shazow · · Score: 3, Informative

    Technically, that would simply double the number of operations required to perform the decryption, which does not effectively raise its complexity..

    ie. say it takes n time to crack a hash, then cracking a hash of a hash would take 2n...
    O(2n) is still O(n)

    Of course that's assuming they aren't doing it by "eye" and they have some sort of solid algorithm to do it.

    - shazow

  3. I don't think they've officially decided to change by papercut2a · · Score: 4, Informative

    There's a discussion about this very subject going on on the IMC's discussion list for OpenPGP. From reading the posts, particularly the ones by PGP's Jon Callas, I don't think that PGP has officially decided to implement this change just yet. (On the list, the thread titled "SHA-1 broken" is the one you will want to follow.)

    But then, I could have missed something.

  4. Re:What about GPG? by papercut2a · · Score: 5, Informative

    IIRC, GPG already allows SHA-256 and SHA-512, but doesn't default to them.

  5. Re:Not a solution by CajunArson · · Score: 4, Informative

    I do see your point, but remember that you could argue the RSA is useless because if I did it over a 32 bit address space it's easy to prime-factorize any number and therefore increasing it to a 2048 bit space is "just avoiding the problem". As CPU power increases it becomes more economical to move to more complex hash/ecryption schemes over larger address spaces. And there's even good news: it's a hell of a lot cheaper for me to move my PC to a new SHA system than it will be to crack it, even with the algorithm issues.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  6. Re:Not a solution by Eravnrekaree · · Score: 3, Informative

    It seems like the way to fix the problem (make the encrypted data difficult enough to decode using brute force methods) is to move up to stronger algorithms. This happens continuously, it doesnt mean that the old alogorithm was initially flawed, but rather it has become obsolete due to increasing computing power. As computing power increases, this means it takes less time to decode an algorithm using a trail and error brute force process.

    The user should be able to choose from several algorithms depending on their needs, their are tradeoffs for each. A stronger one will require more computing power but will be more difficult to decode using a brute force attack, and will tend to last longer agianst increasing processing power of computers. A weaker one will be much faster but also it is more trivial to decode it with a brute force attack, and as computing power increases it will become more trivial to decode via an attack. Thus there is a constant interaction between CPU speed and algorithms, as faster CPUs arise, this means stronger algorithms are needed as the older ones which were too impractical to easily attack on older CPUs have become trivial to decode on newer CPUs. However, since the CPUs have since become faster, it also means that it takes less time to encrypt the data in any particular algorithm, so while stronger algorithms are needed due to increasing CPU power, those algorithms also become more practical due to increasing CPU power.

  7. Re:Why not move sooner? by Anonymous Coward · · Score: 3, Informative

    Is there a reason to wait until someone breaks the existing algorithm before moving to a stronger one?
    It seems to me that if you start working on implementing the stronger ones BEFORE your existing one is broken?

    Because of the chance that someone might find a weakness in the supposedly stronger one before a weakness is found in the supposedly weaker one.

    Since you don't know which algorithm is going to be broken first, you pick one based on other advantages, like wider availability and more efficient calculation.

    And, BTW, SHA-1 is not cracked wide open yet; it just looks worryingly like a usable flaw will be found in the very near future. Therefore, people are moving away from it. An ounce of prevention... exactly like you said.

  8. Re:What about GPG? by papercut2a · · Score: 5, Informative

    Just to confirm, GPG 1.4 DOES support the more-bits versions of SHA. Run GPG with the --version parameter to get something like this for your copy:

    Supported algorithms:
    Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
    Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
  9. Re:Not a solution by Dolda2000 · · Score: 4, Informative
    It's the same solution that's been used with RSA for ages. When 512-bit keys were broken, 1024-bit keys were recommended. Now when they're almost broken, 2048-bit keys are recommended. I hear that some are already recommending 4096-bit keys.

    There's no fool-proof "solution" to this problem. The key (no pun intended) is to keep a high enough ratio between hash length (or key length) and the kind of processing power that potential crackers (including the NSA) can be thought to have access to.

    Thus, as the processing power of the world increases, so do we increase the hash/key lengths. There's nothing strange about that, if you ask me -- especially considering how the required processing power increases exponentially with the hash/key length in use.

  10. Re:Not a solution by Anonymous Coward · · Score: 5, Informative
    As it turns out PGP (well, GPG) already has support for RIPEMD160 built in to it. To use this:
    gpg --clearsign --digest-algo RIPEMD160 foo.txt

    gpg -b --armor --digest-algo RIPEMD160 foo.tar.gz

    (First one: Clear signuatre; second one: detached signature)
  11. Re:Not a solution by Dolda2000 · · Score: 3, Informative
    I've already replied to a similar question.

    In short, having two different hashes doesn't add more security (at least not significantly more) than just doubling the hash length.

  12. Re:This reminds me... by Lord+Ender · · Score: 2, Informative

    Moderators: please realize this guy is talking completely out of his ass. It is clear he has never studied cryptology, even just a little. Please make sure nobody reads this comment, because everyone who does will be made dumber as a result.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  13. Re:Not a solution by theLOUDroom · · Score: 2, Informative

    I do see your point, but remember that you could argue the RSA is useless because if I did it over a 32 bit address space it's easy to prime-factorize any number and therefore increasing it to a 2048 bit space is "just avoiding the problem".

    You are comparing apples to oranges.
    We're talking about a mathematical breakthrough, not the release of the newest processor.

    This problem isn't arising because we have faster processors, it's arising because someone has discovered a fundamental flaw in the algorithm. Sure you can take your chances and hope that this work won't beget more research which shows that SHA-1 can be comprimised even easier than we think now, but that would just make me think you weren't paying attention during the whole MD5 situation.

    First somebody finds a chink in the armor.

    The next person punches right through it.

    Maybe somebody won't be able to take this finding any further, but I think it definately hasn't been out there long enough to be able to say that yet. Worry that someone else will be able to take this reseach and the newfound insight into the algorithm that it provides to show that SHA-1 is even less ecure than we think now.

    --
    Life is too short to proofread.
  14. Re:Not a solution by vagabond_gr · · Score: 2, Informative

    Such use-whatever-you-can solutions can indeed make intruder's life harder, but cannot offer true security. Even using two algorithms concurrent collisions will exist (due to the infinite number of collisions for each algorithm). If someone can find collisions for each hash function, nothing can guarantee that he will not find one for both. The problem is that the algorithm's security foundations are shaken, so we can no longer trust it.

    It's like using two passwords instead of one. Of course it's better, but it can only slow down an attacker who knows how to break passwords.

  15. Re:This reminds me... by DeadMeat+(TM) · · Score: 2, Informative
    the PS3 runs Linux
    No, it doesn't.
    can be programmed just like a regular computer
    No, it can't.
    64bit computers [...] can move the data around a lot faster
    No, they can't.
  16. Clearing up some misconceptions by cpeikert · · Score: 2, Informative
    Some comments (that I have not seen emphasized much) about all this SHA-1 stuff:
    • The fact that there is a 2^{69}-time attack (versus a 2^{80} naive attack) on SHA-1 may only be the tip of the iceberg. Once the methods of attack are published and studied widely, other more efficient attacks may be found (historically, this is more likely than not). Saying "we're still safe; the attack is too slow and doesn't find a second preimage" is very naive.
    • Hash algorithms like SHA-1 are used for more than just digital signatures. They are often used to achieve certain strong properties (like chosen-ciphertext security) in some public-key encryption algorithms (like OAEP). So saying "this only affects signatures" is wrong -- we don't yet know what effect these attacks might have on the security of the many other cryptographic schemes and protocols that use hashing primitives.
  17. Re:This reminds me... by Audacious · · Score: 2, Informative

    Ok, I realize this is just flamebait but I have to say that this is just untrue. First you know absolutely nothing about me or my background. Second my statements are true.

    Let's look at the second one first:

    1. No matter how brainy you are, it requires a computer (now-a-days) to break any kind of cryptology which is in place.

    2. No matter how smart you may be, you won't be able to test your premise without the usage of a computer. Further, it is not so much hard core number crunching (as in testing each and every possible combination which would take millions or billions of years to do) as it is coming up with an algorithm which will work.

    3. In the case of DRM, we are using and following rules which we have devised to tell us how we can make use of Quantum particles to generate random numbers. As such, it is not impossible for someone to accidentally stumble upon or even develop on purpose an algorithm which will undo what was done. It is just a matter of when this will happen.

    Now let's look at the first one:

    1. I have never said I was a genius or even brilliant at cryptography.

    2. But I have studied the field since I have worked with DoD before in various ways.

    3. I have also let it be known that I do work at NASA without any degree at all. However, NASA does consider me to have several masters. Both in mathematics as well as computer science.

    Finally, you are entitled to your opinion and I probably could do with some more reading in the area of cryptology. Unfortunately, presently I'm helping NASA rebuild their CAD system of information about the Space Shuttle and do not have the time. Maybe later.

    Enjoy life.

    --
    Someone put a black hole in my pocket and now I'm broke. :-)