Slashdot Mirror

← Back to Stories (view on slashdot.org)

PGP Moving To Stronger SHA Algorithms

Posted by timothy on from the 511-upmanship dept.

PGP Corp. is moving to a stronger SHA Algorithm (SHA-256 and SHA-512) as consequence of the research conducted by the team at Shandong University in China who broke the SHA-1 algorithm. (See this earlier story for more information on the SHA-1 vulnerability.)

15 of 247 comments (clear)

  1. Come on... by debilo · · Score: 4, Informative

    ... who broke the SHA-1 algorithm.

    They did not break it. They just found a way to reduce the number of trials needed to find a collision.

    1. Re:Come on... by octaene · · Score: 4, Informative

      Finally, someone who has a clue! no parity is absolutely right. All they did was provide a hash that produces 1 collision as a proof that they have an algorithm that makes finding collisions easier. This doesn't mean we all need to rush out and change our public/private keys...

    2. Re:Come on... by menscher · · Score: 4, Informative
      All they did was provide a hash that produces 1 collision

      No, they didn't. No hash has been produced. Only a claim that they can do it in 2^69 operations. The collisions they gave were for SHA-0 and for a reduced-round version (58 rounds instead of 80) of SHA-1. Unless someone can extend the break (which is likely) then it's still quite secure.

    3. Re:Come on... by kiltedtaco · · Score: 4, Informative

      MD5 and SHA-1 are both iterated hashes. They work by take one block, hash it, then use the output from that round as the IV for hashing the next. This allows a curious sort of failure:

      The attack on MD5 worked independently from the initial state of the cipher, i.e., any arbitrary message could be prepended to the calculated collision, and the hashes would still collide. It doesn't matter what the text before the discovered collision block is. It could be anything (plus padding to make it to a multiple of the block length.)

      This makes the break a much more serious problem than simply finding two completely random messages that happen to have the same hash. It's only a guess at the moment, but I assume the SHA-1 attack will work the same way. The brief findings mentioned using the same sort of attack, hopefully the results will be similar.

      (Side note 1: The term used by every cryptographer i've ever encountered is "break". Feel free to use what you want, but don't claim that "break" is for some reason incorrect. If you want to argue about it, see my prior post on "Stealing" vs. "Copyright Infringement.")

      (Side note 2: Even if one was going to brute force SHA-1, you would still get the same failure mode as described. When trying all the possible hashes, you would simply use the output of SHA1 of the nefarious file as the IV in the brute-force attack. Iterated hashes, in my very uneducated opinion, are on their way out. What they will be replaced with, however, I have no idea. )

    4. Re:Come on... by uhoreg · · Score: 3, Informative

      All hash algorithms are vulnerable to this if you don't use a salt (or too small of a salt). UNIX-like OSes have been using salt for a very long time (if not forever). See, for example, the crypt(3) man page. If you use a large enough salt, precomputed hash databases are pretty much useless.

      --

      To get something done, a committee should consist of no more than three persons, two of them absent.

  2. Re:i'm no crypto expert... by Shazow · · Score: 3, Informative

    Technically, that would simply double the number of operations required to perform the decryption, which does not effectively raise its complexity..

    ie. say it takes n time to crack a hash, then cracking a hash of a hash would take 2n...
    O(2n) is still O(n)

    Of course that's assuming they aren't doing it by "eye" and they have some sort of solid algorithm to do it.

    - shazow

  3. I don't think they've officially decided to change by papercut2a · · Score: 4, Informative

    There's a discussion about this very subject going on on the IMC's discussion list for OpenPGP. From reading the posts, particularly the ones by PGP's Jon Callas, I don't think that PGP has officially decided to implement this change just yet. (On the list, the thread titled "SHA-1 broken" is the one you will want to follow.)

    But then, I could have missed something.

  4. Re:What about GPG? by papercut2a · · Score: 5, Informative

    IIRC, GPG already allows SHA-256 and SHA-512, but doesn't default to them.

  5. Re:Not a solution by CajunArson · · Score: 4, Informative

    I do see your point, but remember that you could argue the RSA is useless because if I did it over a 32 bit address space it's easy to prime-factorize any number and therefore increasing it to a 2048 bit space is "just avoiding the problem". As CPU power increases it becomes more economical to move to more complex hash/ecryption schemes over larger address spaces. And there's even good news: it's a hell of a lot cheaper for me to move my PC to a new SHA system than it will be to crack it, even with the algorithm issues.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  6. Re:Not a solution by Eravnrekaree · · Score: 3, Informative

    It seems like the way to fix the problem (make the encrypted data difficult enough to decode using brute force methods) is to move up to stronger algorithms. This happens continuously, it doesnt mean that the old alogorithm was initially flawed, but rather it has become obsolete due to increasing computing power. As computing power increases, this means it takes less time to decode an algorithm using a trail and error brute force process.

    The user should be able to choose from several algorithms depending on their needs, their are tradeoffs for each. A stronger one will require more computing power but will be more difficult to decode using a brute force attack, and will tend to last longer agianst increasing processing power of computers. A weaker one will be much faster but also it is more trivial to decode it with a brute force attack, and as computing power increases it will become more trivial to decode via an attack. Thus there is a constant interaction between CPU speed and algorithms, as faster CPUs arise, this means stronger algorithms are needed as the older ones which were too impractical to easily attack on older CPUs have become trivial to decode on newer CPUs. However, since the CPUs have since become faster, it also means that it takes less time to encrypt the data in any particular algorithm, so while stronger algorithms are needed due to increasing CPU power, those algorithms also become more practical due to increasing CPU power.

  7. Re:Why not move sooner? by Anonymous Coward · · Score: 3, Informative

    Is there a reason to wait until someone breaks the existing algorithm before moving to a stronger one?
    It seems to me that if you start working on implementing the stronger ones BEFORE your existing one is broken?

    Because of the chance that someone might find a weakness in the supposedly stronger one before a weakness is found in the supposedly weaker one.

    Since you don't know which algorithm is going to be broken first, you pick one based on other advantages, like wider availability and more efficient calculation.

    And, BTW, SHA-1 is not cracked wide open yet; it just looks worryingly like a usable flaw will be found in the very near future. Therefore, people are moving away from it. An ounce of prevention... exactly like you said.

  8. Re:What about GPG? by papercut2a · · Score: 5, Informative

    Just to confirm, GPG 1.4 DOES support the more-bits versions of SHA. Run GPG with the --version parameter to get something like this for your copy:

    Supported algorithms:
    Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
    Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
  9. Re:Not a solution by Dolda2000 · · Score: 4, Informative
    It's the same solution that's been used with RSA for ages. When 512-bit keys were broken, 1024-bit keys were recommended. Now when they're almost broken, 2048-bit keys are recommended. I hear that some are already recommending 4096-bit keys.

    There's no fool-proof "solution" to this problem. The key (no pun intended) is to keep a high enough ratio between hash length (or key length) and the kind of processing power that potential crackers (including the NSA) can be thought to have access to.

    Thus, as the processing power of the world increases, so do we increase the hash/key lengths. There's nothing strange about that, if you ask me -- especially considering how the required processing power increases exponentially with the hash/key length in use.

  10. Re:Not a solution by Anonymous Coward · · Score: 5, Informative
    As it turns out PGP (well, GPG) already has support for RIPEMD160 built in to it. To use this:
    gpg --clearsign --digest-algo RIPEMD160 foo.txt

    gpg -b --armor --digest-algo RIPEMD160 foo.tar.gz

    (First one: Clear signuatre; second one: detached signature)
  11. Re:Not a solution by Dolda2000 · · Score: 3, Informative
    I've already replied to a similar question.

    In short, having two different hashes doesn't add more security (at least not significantly more) than just doubling the hash length.