Slashdot Mirror

← Back to Stories (view on slashdot.org)

PGP Moving To Stronger SHA Algorithms

Posted by timothy on from the 511-upmanship dept.

PGP Corp. is moving to a stronger SHA Algorithm (SHA-256 and SHA-512) as consequence of the research conducted by the team at Shandong University in China who broke the SHA-1 algorithm. (See this earlier story for more information on the SHA-1 vulnerability.)

13 of 247 comments (clear)

  1. Have to buy it again? by ehiris · · Score: 2, Interesting

    Would current customers have to buy PGP again? I see the problem as a bug not an "old version" weakness.

  2. Re:Come on... by abelsson · · Score: 3, Interesting

    No, they did indeed break it. An attack is now practical for a well funded adversary, where it wasn't before - practical attacks being known is the very definition of when a cryptographic algorithm is considered broken.

  3. SHA-1 break illustrated.. by __aaijsn7246 · · Score: 5, Interesting

    http://lists.gnupg.org/pipermail/gnupg-users/2005- February/024862.html

    Atom Smasher atom at smasher.org
    Wed Feb 16 21:56:25 CET 2005

    Hash: SHA256

    this should help put the (alleged until proven otherwise) SHA-1 break into
    perspective. thanks to Sascha Kiefer for giving me the idea.

    let's say that unbroken SHA-1 represents a 100 meter (328 ft) wall. if a
    break allows a collision to be found in merely 2^69 operations (on
    average), that would mean the wall has crumbled to 4.9 cm (1.9 in) tall.
    that's broken!!

    OTOH, let's say that unbroken MD5 represents a 100 meter (328 ft) wall.
    comparing unbroken MD5 to broken SHA-1 means the wall would actually grow
    from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall. SHA-1, even if
    it's broken enough to find a collision in 2^69 operations (on average), is
    still stronger than MD5 was ever meant to be.

    again, using unbroken MD5 as our reference of a 100 meter (328 ft) wall,
    unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was
    intended to be incredibly stronger than MD5.

    - -- ...atom

  4. Re:Not a solution by Mr2cents · · Score: 4, Interesting

    Why not sign using two hashes? You'll need to find a chunk of data that generates two collisions with two different hashing algorithms. Let'em chew on that one!

    --
    "It's too bad that stupidity isn't painful." - Anton LaVey
  5. Re:Come on... by sahonen · · Score: 2, Interesting

    Okay, even if you can find a collision in, say, a day... Great. You can find a collision in a day. But how many collisions will you have to sort through before you find one that even resembles a will, especially one that, say, gives all your property to me?

    --
    Make me a friend and I'll mod you up
  6. Re:Come on... by menscher · · Score: 2, Interesting
    No, it's not practical for a well-funded adversary. Their attack only made it 2048 times easier. That's not particularly significant, in itself. What *is* significant is that it suggests that other attacks might be possible. But as it stands, SHA-1 is quite secure.

    Fighting the FUD....

  7. Re:Come on... by Anonymous Coward · · Score: 1, Interesting

    I'd say -- what matters is that there has been a proven method to solve SHA-1 with less complexity than what should be possible. Who knows how "optimized" the current solution is, who knows if there are more efficient ways to solve it. The only thing we know now is that there is at least one method to reduce the complexity by orders of magnitudes.

  8. Collisions by b0lt · · Score: 1, Interesting

    Why not use two hashes? It's exponentially harder to find a collision that fits for two hashes, isn't it?

    -b0lt

    --
    got sig?
  9. Re:Come on... by abelsson · · Score: 4, Interesting

    Bruce Schneier estimates that a SHA-1 collision finding machine, built along the same lines as the old DES cracker would cost $25M-$38M and could do the needed 2^69 calculations in 56 hours. distributed.net has already completed a 2^64 operation challenge a few years ago, which along with Moores law puts 2^69 ops into the realm of the possible.

    Fighting the FUD, indeed.

  10. Re:Come on... by Anonymous Coward · · Score: 2, Interesting
    They didn't produce a hash, they produced a technique better than brute force for producing arbitrary hashes.

    The way you describe it makes it sound like they stumbled upon a collision.

  11. This reminds me... by Audacious · · Score: 1, Interesting

    This reminds me of the DRM debate of about a month ago here on SlashDot. I took the stance that DRM would be broken just like any of the other algorithms that anyone has come up with. I was told by one person that DRM could never be broken. Well, when SHA-0 came along they thought it could never be broken either. Then SHA-1, now SHA-256, and later it will be SHA-512. As someone else pointed out - it is just a matter of how much computing power do you want to put behind your attempt to break an encryption.

    But here's a scarey thought for you: The new Playstation 3 is packed with at least three CELL CPUs and a maximum of eight. The PS3 is supposed to be an order of magnitude faster than any currently existing microcomputer. It is, therefore, a supercomputer in its own right. But that's not the scarey part. The scarey part is that the PS3 runs Linux, can be programmed just like a regular computer, and is stackable. At SIGGRAPH 2001 Sony displayed a box you could buy where you could stack up to ten PS2s and they would act like a networked supercomputer. They had a really neat display of a girl in a space station with the earth and stars outside of the window. One PS2 controlled the earth simulation and stars. One did the interior of the space station. One did the hair (so they could do individual hairs), one did the body (breathing, texture, etc...), one for facial expressions, and the rest did arms, hands, legs, feet, and some special effects (like the weightlessness). All of these functions can be done on one PS3.

    Ok, so if you can buy a PS3 for an estimated cost of $350.00 USD, how many PS3s would it take to break SHA-512? DRM? Or any other encryption method? Remember that they are 64bit computers also so they can move the data around a lot faster. And - they may also be able to handle many GIGABYTES of memory (which means they will be able to break codes even faster).

    We basically are building our own nightmare. We want the faster computers so we can do things faster but that means those who are destructive are also getting the same toys to play with to make our lives miserable.

    --
    Someone put a black hole in my pocket and now I'm broke. :-)
  12. Re:Not a solution by Anonymous Coward · · Score: 2, Interesting

    having two different hashes doesn't add more security (at least not significantly more) than just doubling the hash length

    Sure it does, because you're talking about two different algorithms. If a fatal flaw is found in one algorithm, you're still left with *something*, vs. being left with no pants.

  13. GnuPG has this already by Gemini · · Score: 3, Interesting

    To forestall the obvious question about GnuPG compatibility, GnuPG has had SHA-256, SHA-384, and SHA-512 since version 1.2.2 (2003-05-01) so it will interoperate nicely with the new PGP.

    Incidentally, despite what the article implies, PGP has actually had SHA-256 support for a while now. It's not exposed in the GUI, but if you use GnuPG to generate a SHA-256 message, PGP can handle it.

    In terms of what the SHA-1 "break" means, it is certainly time to start migrating to something stronger, but it is not time to panic and start revoking keys. Think of this as the MD5 situation in the late 1990s: a flaw was found, people migrated away, and when the serious MD5 crack was found last year, most people had already stopped using it.

    The sky isn't falling. It's just a wake up call to start moving to something better.