Slashdot Mirror

← Back to Stories (view on slashdot.org)

New, Faster Attack against SHA-1 Revealed

Posted by CowboyNeal on from the not-so-safe-anymore dept.

VxSote writes "According to Bruce Schneier's blog, a team of Chinese cryptographers has announced new results against SHA-1 that speed up the time required to find collisions compared to their previously published attack. Schneier says that a SHA-1 collision search is now 'squarely in the realm of feasibility,' and that further improvements are expected."

43 of 298 comments (clear)

  1. Is that the attack... by RevDobbs · · Score: 5, Funny

    Is that the same attack the chinese exchange student used in Lineage II?

    1. Re:Is that the attack... by isorox · · Score: 3, Funny

      They sped up time? Impressive!

      Not really. They moved, which meant that, relative to them, they sped up time for the rest of us!

    2. Re:Is that the attack... by Dwonis · · Score: 4, Funny
      Let's see if they're the same attack, by comparing the two files that Schneier has linked to in the last few weeks:

      $ sha1sum wang_sha1_v2.pdf sha1-crypto-auth-new-2-yao.pdf
      f4489045822c1940a3 71c87d7d54cfca5fedd6f7 wang_sha1_v2.pdf
      f4489045822c1940a3 71c87d7d54cfca5fedd6f7 sha1-crypto-auth-new-2-yao.pdf

      So it's the same attack.

      Oh, wait...

  2. The world is collapsing around me! by frinkacheese · · Score: 5, Funny

    Next there will be massive ASIC machines crunching your PGP ciphertext and nobody will be able to proove anything until Lt Cmdr Data comes up with another Fractal Encryption algorythm that even the Borg cannot break.

  3. oh God bless them, those kooky spookies by peculiarmethod · · Score: 4, Funny

    I repeat the saying I've heard comes from inside the NSA: "Attacks always get better; they never get worse."

    And THAT kind of forward thinking, gentlemen, is why we're number one over here in the good ol' U.S. of A. So glad we spend money in all the right places.

    --
    ** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
    1. Re:oh God bless them, those kooky spookies by Anonymous Coward · · Score: 5, Informative

      The NSA doesn't release its finding about new attacks against encryption algos. They use the info to crack and keep secure. Promote AES as a standard, and have a decades worth of research about useful attacks against AES that no-one knows about but the NSA.

      Like public-key encryption. People in Britain discovered it first, but kept the research secret.

    2. Re:oh God bless them, those kooky spookies by Sephiriz · · Score: 3, Insightful

      Right, because every other nation freely gives away any edge it has in the world. Its like saying the U.S. was a spoiled brat because it didn't make public the information on how to construct a nuclear bomb.

      Secrecy DOES give an advantage, and ALL countries employ it and benefit from its advantages. I don't know where you come from, but if this isn't the case in your country, then perhaps they're just incapable of keeping secrets or not innovative enough to have any worth keeping.

    3. Re:oh God bless them, those kooky spookies by JonXP · · Score: 3, Informative

      The NSA already said that people should stop using SHA-1 in favor of other methods. It can be assumed they already knew about attacks.

      --
      Still IMing in the stone age?
    4. Re:oh God bless them, those kooky spookies by p2sam · · Score: 3, Interesting

      not quite.

      They fixed SHA up cuz they knew of a flaw, but didn't explain what the fix does.

      For DES, they were ... ahem... they realize that DES was DAMNED good. And allegedly they knew of 2 theoretical attacks 20 years before the civilian academics.

      But their interference in DES is to restrict DES DOWN to a 56-bit keyspace, cuz they knew that DES was TOO good. :)

      Almost anyone with a million bucks can search through 56-bit key space nowadays. As far as I know, there currently does not exist a DES attack that is more efficient (cheaper) than exhaustive search. Not bad for a 20 year old algorithm, huh? That's SECURITY!!

      It is commonly believe in the crypto community the weakest point of attack for DES is its small key space.

      Now imagine how many more years of service we could had squeezed out of DES, if the keyspace was set to 128?

  4. Big deal by That's+Unpossible! · · Score: 5, Funny

    All they did was look for a near-collision
    differential path which has low Hamming weight in the "disturbance vector" where each 1-bit represents a 6-step local collision. Then they simply adjusted the differential path in the first round to another possible differential path so as to avoid impossible consecutive local collisions and truncated local collisions. Then obviously the final step taken was to transform two one-block near-collision differential paths into a twoblock
    collision differential path with twice the search complexity.

    Duh...

    --
    Ironically, the word ironically is often used incorrectly.
    1. Re:Big deal by Jeff+DeMaagd · · Score: 3, Funny

      Yeah. It would have only been hard if they also had to deal with invariant -manifolds.

    2. Re:Big deal by gardyloo · · Score: 4, Funny

      You forgot to add a link to where he describes this process and how he derrived it. A fascinating read, really.

      Not Found
      The requested URL /blog/archives/2005/08/new_cryptanalyt_details.htm l was not found on this server.

          Oh, yes, I've just wet my pants with excitement.

    3. Re:Big deal by gardyloo · · Score: 5, Funny

      Invariant manifolds? You were lucky! We dreamed of invariant manifolds. We had to make do with symplectic diffeomorphisms of the torus, what with its four fixed points, you know, assuming that the eigenvalues of the Jacobi matrix are not equal to minus unity at any point... and we liked it.

  5. Now can we panic? by John.P.Jones · · Score: 4, Funny
    Alas poor SHA-1, I knew him...

    Okay so we still have SHA-256 and SHA-512 but can we really feel good about them?

    Wanted: One reliable hash...

    1. Re:Now can we panic? by MightyMartian · · Score: 4, Funny

      Commit everything to memory, keep a cyanide pill close by and hope like hell that that crazy guy with the tinfoil hat is wrong.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  6. Two questions... by meditation_dude · · Score: 3, Interesting

    One is, is this really relevant when most terrorist threats these days are so low tech? Two, does anyone know what kind of funding the NSA gets these days? I remember a news report a couple years back that said they were deeply out of date with hardware and so forth.

    1. Re:Two questions... by Anonymous Coward · · Score: 5, Insightful

      I think that the greatest threat in this case is not terrorists but the institutions such as government and security forces. Terrorists have a great interest in keeping their own transmissions secure but little interest in the communications of others.

      Their tagets are soft, security is fairly low and information can be obtained using people on the street.

      Counterintelligence is a game played by large beauracracies who are at peace at the moment but would really like not to be. It involves the use of large ammounts of resources for the main purpose of maintaining the status quo. Terrorists are not interested in the status quo, they want things to change.

  7. Re:i'll never understand why... by JanneM · · Score: 3, Insightful

    How would you know what you need to improve without knowing the weaknesses of current algorithms?

    --
    Trust the Computer. The Computer is your friend.
  8. Re:i'll never understand why... by leonmergen · · Score: 3, Insightful

    Someone can only improve when he understands his own mistakes...

    --
    - Leon Mergen
    http://www.solatis.com
  9. Re:i'll never understand why... by FLAGGR · · Score: 3, Insightful

    Why create stronger algorithms if no one is going to break them? I'd rather the NSA found the exploits and told the right people, or the world, then somebody with bad intent.

  10. Few Details? No report? No paper? by hoka · · Score: 4, Insightful

    I mean, I'm sure that these guys are the real thing, judging by their past experience breaking SHA-1 and how much notoriety they have. But they have been inconsistent with presenting information. It would be nice to see something thats really solid with information rather than what looks at best like a bit of speculation. Last I checked information on their last attack (2^69) was still pretty thin and I suppose its time to move on to SHA-256 anyways.

  11. Re:i'll never understand why... by Chabil+Ha' · · Score: 3, Insightful

    Of course it's important to find fault in 'secure' computing. If the white hats don't uncover it first, someone with malicious intent will discover it to their benefit.

    As to your comment about spending time to develope a better algorithm, how do you know it's secure, if you don't try to break it???

    --
    We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
  12. Re:i'll never understand why... by WhipItGood · · Score: 3, Insightful
    If a white hat doesn't, a black hat will. I'd rather find out from someone who'll share the vulnerability rather than exploit it.

    When these algorithms are created, they often represent a time tradeoff, the time to hash/encrypt versus the time to compare the hash/decrypt. These guys are just sharing with the world its time to move on to another algorithm. Although I agree it would be nice to find an algorithm that is guaranteed never to be weak!

  13. Security by bredk · · Score: 5, Funny

    I've just changed away from using SHA-1. Double ROT13 seems most appealing these days. ;)

    --
    http://slashdot.su/
    1. Re:Security by CRCulver · · Score: 5, Funny

      SHA-1 isn't a cipher, it's a hash algorithm. Therefore, it has nothing to do with encryption (like ROT13), but with authentication. Sorry to ruin your little joke, which has become a tired amusement lamely presented in every new Slashdot story on cryptography.

    2. Re:Security by cpeikert · · Score: 5, Funny

      Wait a minute, you don't sound sorry at all!

    3. Re:Security by melandy · · Score: 3, Informative

      Ok, bear with me for a moment...

      In this example for simplicity's sake, I'm going to use a ficticious function to shorten the output. The same logic will apply to any hashing function that gives output of a specific length.

      Let's give this function a name, so that people don't assume I'm using SHA-1, and flame me for it. Let's call the function "melandy_hash", and say that for whatever input it receives, it gives a 6 digit hex number for the output (yes, I know that this is ridiculously short, but this is a simplified example).

      For the input "This is my input string", you might receive the output 82a78b. For the input "This is another input string", you might receive the output 1721ca. Note that although the values for the output are different, the length is the same, because we specified that the output would be a 6 digit hex number.

      To expand this further, and to get directly to the point of your question... say we have a list of strings that we want to hash:

      "This is my input string"
      "This is another input string"
      "And another one"
      "And yet another one"
      "X"

      These five strings collectively are the "set" of inputs. When we compute the hashes of these strings using melandy_hash, we get the following output:

      82a78b
      1721ca
      82a78b
      1b82ac
      97f25b

      The above list of hex values is then the "set" of output.

      Note that the strings "This is my input string" and "And another one" both have the same hash value. This is known as a collision. As a result, there are really only 4 unique values in out set of output. This means that the set of inputs (with 5 unique elements) is larger than the set of outputs (with 4 unique elements).

      Where you may have been confused before is that the output for the string "X" is 97f25b, and for this particular element, the output is larger than the input. The original point that was made was that the number of unique elements in the input set is larger than the number of unique elements in the output set.

      Make sense now?

  14. Re:It's an insurmountable problem. by Krach42 · · Score: 4, Insightful

    Well, the method for "DNA-printing" a file would have to allow for the complete recreation of the file from the DNA-printing.

    This has been actually done for a long time, it's called "file compression".

    --

    I am unamerican, and proud of it!
  15. Crypto is an evolutionary process by Crixus · · Score: 3, Interesting

    Things like this are inevitable. Crypto is an evolving science, and this kind of thing is healthy.

        I for one am very excited about the future of crypto.

    --
    Ignore Alien Orders
    1. Re:Crypto is an evolutionary process by Simon+Garlick · · Score: 3, Insightful

      What, healthy that groundbreaking research is being done outside of the USA while the researchers are unable to even enter the country to talk about it?

      --

      -----
      PGP Key ID 0xCB8FF658
  16. RFC4109 by fwr · · Score: 4, Interesting

    I wonder how this will effect RFC 4109 in that it depreciates MD5 in favor of SHA1. Does this mean that SHA1, at 2^63 is less secure than MD5 at a brute-force 2^64? I'm not a crypto expert or anything, just asking the question; will this effect the proposed standard for the HASH algorithm used in IPsec?

    1. Re:RFC4109 by SquadBoy · · Score: 4, Insightful

      It does have implications for IPsec but the main question you are starting from the wrong place. The first question you should be asking youself is "Who is my enemy?". For the sake of this discussion let's assume the worst and go with the NSA.

      The next thing you should be asking yourself is "What am I protecting?" Since we are assuming that the NSA is your enemy let's go ahead and say that you want to blow up rather large and expensive things that the USian .gov would really rather you not blow up.

      And the last factor is "How long do I want to keep this secret?"

      For the sake of argument let's assume that the NSA can do twice as well as any known attack. Given all of that if the answer to the last question is "years" you have something to worry about. If it is months you very likely have something to worry about. If it is "weeks", "days", or "hours" you are very likely safe.

      So yes at some point in the future if you have a long planning horizon it could matter.

      What this all means is that you want to pay attention to all of this but there is no need to panic. At this point SHA1 is still better than MD5 for most things. So use it, pay attention to it, and most of all you might want to evalute what traffic you are passing. I've *always* been against passing secrets over a IPSec tunnel with a lifetime of more than a few months. This is simply because, IMO, IPsec is too complex to ever be safe over a long planning horizon. I'm in pretty damn good company here.

      So pay attention and be ready to change when things change. And they *will* change. And I would not send anything that has a long lifetime over the wire.

      http://www.schneier.com/paper-ipsec.html

      --

      Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
    2. Re:RFC4109 by mre5565 · · Score: 4, Informative
      I wonder how this will effect RFC 4109 in that it depreciates MD5 in favor of SHA1. Does this mean that SHA1, at 2^63 is less secure than MD5 at a brute-force 2^64? I'm not a crypto expert or anything, just asking the question; will this effect the proposed standard for the HASH algorithm used in IPsec?
      First there are already attacks on MD5 that are less than O(2^64) which don't involve brute force.

      Second, RFC 4109 refers to the HMAC algorithms used for computing per packet integrity checksum that is resistant to tampering by a man in the middle. HMACs take as input both a known message and a shared secret (often, a session key for a symmetric key algorithm like DES, triple DES, AES, RC4, etc) and compute hash result ( MD5, or SHA1, or SHA-256, etc. ). In other words, part of the input to the hash algorithm is unknown. This makes it very difficult to find two messages, X and Y that compute the same HMAC. I.e. find X and Y such that HMAC(X, K) == HMAC(Y, K), where K is the shared secret. The attacks on MD5 and SHA-1 so far assume that there is no K, or if there is, it is known. And if the man in the middle knows K, he doesn't need to use these new cool attacks to tamper with messages; he's the man in the middle, he just tampers and re-computes the HMAC with far less computational overhead.

      I've see no indication in Schneir's blog entry that these attacks break HMACs.

      That said, it is surprising that SHA-256 wasn't added to the MUST list for RFC4109, given that when this RFC was published, it was known that SHA1 had be shown to be vulnerable to attacks of less than O(2^69). But then again, the RFC also mentions AES128 as MUST, but not AES256. Odd.

    3. Re:RFC4109 by greenrom · · Score: 3, Informative
      Actually, this finding doesn't directly impact IPsec. It just lets you find two texts that generate the same hash in 2^63 time. IPsec uses SHA to generate a HMAC. The idea is that you generate an SHA hash based on the data being sent and a secret key that doesn't get sent. Since both sides know the secret key, both sides are able to generate and verify the hashes. However, somebody intercepting packets will not know the secret key and will not be able to generate valid hashes or modify packets without being detected. In order to break this part of IPsec, you need to be able to do one of two things:

      1) Figure out what the secret key is based on the data and hashes being sent. If you could do this, you could generate your own HMAC and send your own data without being detected.

      2) Intercept the packet and find a way to change the data in a way that will still generate the same hash value. This would allow you to change packets without being detected.

      The vulnerability the researchers found doesn't help you accomplish either of these tasks, but it does show that SHA-1 has some weaknesses. Therefore, it's probably a good idea to start moving to a different hashing algorithm before somebody figures out a practical way to do #1 or #2. Also keep in mind that an HMAC exploit wouldn't help an attacker decrypt IPsec packets. To do this, a vulnerability would need to be found in either the encryption algorithm or the key exchange algorithm. In reality, a HMAC exploit by itself would only allow an attacker to send garbage data to the target address.

  17. Re:i'll never understand why... by Hack+Jandy · · Score: 4, Funny

    I'd rather the NSA found the exploits...

    The NSA did this six years ago. Just pick up any phone and ask them.

    HJ

  18. Re:Solution? by Krach42 · · Score: 3, Insightful

    This is no better than increasing the hash key size. In fact, it's worse than increasing the hash key by the same.

    If you take hash algo A at 32 bits, and algo B at 32 bits, but B is weaker than A, then hash collision calculation would be less than the complexity of A squared. (Since B is weaker than A)

    If instead you double the hash size of A to 64 bits, then your collision calculation would be the square of the complexity of A at 32.

    So, combining MD5 with SHA-1 could cause some problems, with both of them having weaknesses, neither is going to provide you much protection, even if you use them together.

    If you built a safe out of paper and cardboard. Sure such a safe would, yes, be better than one made of just paper, or just cardboard, but it's still not better than a safe built out of two cardboard sheets.

    Ideally, you don't want to build a safe out of either.

    --

    I am unamerican, and proud of it!
  19. Anonymous "team of Chinese cryptographers" by clap_hands · · Score: 5, Insightful
    Have you ever noticed how you never hear the names of these Chinese researchers...Professor Xiaoyun Wang and her colleagues (for SHA-1, Yiqun Lisa Yin and Hongbo Yu) have broken the greater share of the popular hash functions: MD4, MD5, SHA-0, SHA-1, RIPEMD...and the only name that gets mentioned is "Bruce Schneier reports that Chinese cryptographers...". Not to belittle Schneier, but what these anonymous "Chinese cryptographers" have achieved is exceedingly significant in the field of cryptography, and the least we can do is mention their names occasionally, right?

    Even if they are unpronouncable ;-)

    1. Re:Anonymous "team of Chinese cryptographers" by bigberk · · Score: 4, Insightful

      NO! They're merely Chinese. Foreigners are scary. USA is home to innovation and research. Dark people should be shot 5 times in the head. etc. The sarcasm is deliberate!

  20. Visa problems for the authors by clap_hands · · Score: 4, Informative

    Two of the Chinese researchers (Xiaoyun Wang and Hongbo Yu) were due to present their SHA results at the CRYPTO 2005 conference in the US, but were denied visas in time to attend. Adi Shamir (the A in RSA) ended up announcing this latest result on their behalf.
          http://cipher-text.blogspot.com/2005/08/visas-for- chinese-crypto-researchers.html

    1. Re:Visa problems for the authors by clap_hands · · Score: 4, Informative

      Oh, I must be tired: Shamir is, of course, the *S* in RSA. Crikey.

  21. SHA-1 is still good for a lot of applications by greenrom · · Score: 4, Interesting

    While this finding definitely shows a weakness in the SHA algorithm, it isn't a weakness that makes most applications that use SHA any more vulnerable. They found a way to generate two texts that produce the same hash using an algorithm with a time complexity of 2^63 instead of 2^80 as would be required for a brute force attack. However, being able to generate two texts that produce the same hash won't help you exploit most systems that rely on SHA. If someone finds a way to generate text that produces a SPECIFIED hash in 2^63 time, then there's reason to be concerned. However, since these findings show that SHA-1 has some weaknesses, it's probably time to start looking for a better hashing algorithm before a more serious vulnerability is found.

  22. Well that would assume a few things by Sycraft-fu · · Score: 4, Insightful

    #1) That the NSA has better cryptologists than everyone else. Remember AES was widely reviewed before becomming an accepted standard, and not just by US researchers. Top experts from all over the globe looked at it, an decided it was secure. So for the NSA to know a weakness, means that they have experts beyond all others combined.

    #2) They are very ballsy, and very certian that no one will find those exploits. The US government uses AES for secret and top secret data. It would be amazingly arrogant to know how to crack the crypto, and yet to still use it for the most secure documents.

    #3) They are willing to trust that the authors, two foriegners (Dr. Daemen and Dr. Rijmen are Belgian) were unaware of this exploit. Remember that if an exploit was found, it is always possible the authors knew, and intended that they'd be able to use it.

    It thus seems EXTREMELY unlikely that the NSA would know of a crack for AES and simply be sitting on it. It would put a great deal of incerdibly sensistive government data at risk, as well as US economic intrests.

    No, what seems far more likley is that the US government came to the realization that strong crypto is widely available outside the US, and thus is makes no sense to try and restrict it from the public as it would only serve to give other nations an advantage.

    So no, I don't believe AES is strong because the NSA is strong, though I respect their opinon to a great degree, I believe it's strong because the world cryptography community believes it is.

    To date there have been two proposed attacks. One is called the XSL attack. It's not an actual break, simply something that would in theory make it easier to brute force, but still well out of the realm of possibility. More, the math behind it is suspect, it may not even be workable at all. Then there was teh cache timing attack. It does work, but required a special SSL server that gave out as much timing information as possible, and 200 million known plaintext bytes. Nifty, but not practical in the real world.

  23. "Freeform" collision by Gadzinka · · Score: 4, Interesting

    What no one seems to mention is that their attack finds "freeform" collisions. I mean, they go and find two plaintexts with the same hash. I wouldn't worry about it until they find 2^63 attack against given plaintext/hash.

    You can read about the distinction in Birthday Paradox article on Wikipedia. In short, when the difficulty of finding collision against a given message is 2^n, the difficulty of finding any two colliding plaintexts is 2^(n/2).

    So, while they may have found 2^63 attack against SHA-1, it is still a "birthday attack", and to find collision against my message signed with sha-1 the attack would still be 2^126.

    Or did I miss something?

    Robert

    --
    Bastard Operator From 193.219.28.162