New, Faster Attack against SHA-1 Revealed

← Back to Stories (view on slashdot.org)

New, Faster Attack against SHA-1 Revealed

Posted by CowboyNeal on Thursday August 18, 2005 @11:35AM from the not-so-safe-anymore dept.

VxSote writes "According to Bruce Schneier's blog, a team of Chinese cryptographers has announced new results against SHA-1 that speed up the time required to find collisions compared to their previously published attack. Schneier says that a SHA-1 collision search is now 'squarely in the realm of feasibility,' and that further improvements are expected."

4 of 298 comments (clear)

Min score:

Reason:

Sort:

Re:oh God bless them, those kooky spookies by Anonymous Coward · 2005-08-18 11:51 · Score: 5, Informative

The NSA doesn't release its finding about new attacks against encryption algos. They use the info to crack and keep secure. Promote AES as a standard, and have a decades worth of research about useful attacks against AES that no-one knows about but the NSA.

Like public-key encryption. People in Britain discovered it first, but kept the research secret.
Visa problems for the authors by clap_hands · 2005-08-18 13:44 · Score: 4, Informative

Two of the Chinese researchers (Xiaoyun Wang and Hongbo Yu) were due to present their SHA results at the CRYPTO 2005 conference in the US, but were denied visas in time to attend. Adi Shamir (the A in RSA) ended up announcing this latest result on their behalf.
http://cipher-text.blogspot.com/2005/08/visas-for- chinese-crypto-researchers.html
1. Re:Visa problems for the authors by clap_hands · 2005-08-18 13:50 · Score: 4, Informative
  
  Oh, I must be tired: Shamir is, of course, the *S* in RSA. Crikey.
Re:RFC4109 by mre5565 · 2005-08-18 14:43 · Score: 4, Informative

I wonder how this will effect RFC 4109 in that it depreciates MD5 in favor of SHA1. Does this mean that SHA1, at 2^63 is less secure than MD5 at a brute-force 2^64? I'm not a crypto expert or anything, just asking the question; will this effect the proposed standard for the HASH algorithm used in IPsec?
First there are already attacks on MD5 that are less than O(2^64) which don't involve brute force.
Second, RFC 4109 refers to the HMAC algorithms used for computing per packet integrity checksum that is resistant to tampering by a man in the middle. HMACs take as input both a known message and a shared secret (often, a session key for a symmetric key algorithm like DES, triple DES, AES, RC4, etc) and compute hash result ( MD5, or SHA1, or SHA-256, etc. ). In other words, part of the input to the hash algorithm is unknown. This makes it very difficult to find two messages, X and Y that compute the same HMAC. I.e. find X and Y such that HMAC(X, K) == HMAC(Y, K), where K is the shared secret. The attacks on MD5 and SHA-1 so far assume that there is no K, or if there is, it is known. And if the man in the middle knows K, he doesn't need to use these new cool attacks to tamper with messages; he's the man in the middle, he just tampers and re-computes the HMAC with far less computational overhead.
I've see no indication in Schneir's blog entry that these attacks break HMACs.
That said, it is surprising that SHA-256 wasn't added to the MUST list for RFC4109, given that when this RFC was published, it was known that SHA1 had be shown to be vulnerable to attacks of less than O(2^69). But then again, the RFC also mentions AES128 as MUST, but not AES256. Odd.