Slashdot Mirror

← Back to Stories (view on slashdot.org)

New, Faster Attack against SHA-1 Revealed

Posted by CowboyNeal on from the not-so-safe-anymore dept.

VxSote writes "According to Bruce Schneier's blog, a team of Chinese cryptographers has announced new results against SHA-1 that speed up the time required to find collisions compared to their previously published attack. Schneier says that a SHA-1 collision search is now 'squarely in the realm of feasibility,' and that further improvements are expected."

27 of 298 comments (clear)

  1. Is that the attack... by RevDobbs · · Score: 5, Funny

    Is that the same attack the chinese exchange student used in Lineage II?

    1. Re:Is that the attack... by Dwonis · · Score: 4, Funny
      Let's see if they're the same attack, by comparing the two files that Schneier has linked to in the last few weeks:

      $ sha1sum wang_sha1_v2.pdf sha1-crypto-auth-new-2-yao.pdf
      f4489045822c1940a3 71c87d7d54cfca5fedd6f7 wang_sha1_v2.pdf
      f4489045822c1940a3 71c87d7d54cfca5fedd6f7 sha1-crypto-auth-new-2-yao.pdf

      So it's the same attack.

      Oh, wait...

  2. The world is collapsing around me! by frinkacheese · · Score: 5, Funny

    Next there will be massive ASIC machines crunching your PGP ciphertext and nobody will be able to proove anything until Lt Cmdr Data comes up with another Fractal Encryption algorythm that even the Borg cannot break.

  3. oh God bless them, those kooky spookies by peculiarmethod · · Score: 4, Funny

    I repeat the saying I've heard comes from inside the NSA: "Attacks always get better; they never get worse."

    And THAT kind of forward thinking, gentlemen, is why we're number one over here in the good ol' U.S. of A. So glad we spend money in all the right places.

    --
    ** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
    1. Re:oh God bless them, those kooky spookies by Anonymous Coward · · Score: 5, Informative

      The NSA doesn't release its finding about new attacks against encryption algos. They use the info to crack and keep secure. Promote AES as a standard, and have a decades worth of research about useful attacks against AES that no-one knows about but the NSA.

      Like public-key encryption. People in Britain discovered it first, but kept the research secret.

  4. Big deal by That's+Unpossible! · · Score: 5, Funny

    All they did was look for a near-collision
    differential path which has low Hamming weight in the "disturbance vector" where each 1-bit represents a 6-step local collision. Then they simply adjusted the differential path in the first round to another possible differential path so as to avoid impossible consecutive local collisions and truncated local collisions. Then obviously the final step taken was to transform two one-block near-collision differential paths into a twoblock
    collision differential path with twice the search complexity.

    Duh...

    --
    Ironically, the word ironically is often used incorrectly.
    1. Re:Big deal by gardyloo · · Score: 4, Funny

      You forgot to add a link to where he describes this process and how he derrived it. A fascinating read, really.

      Not Found
      The requested URL /blog/archives/2005/08/new_cryptanalyt_details.htm l was not found on this server.

          Oh, yes, I've just wet my pants with excitement.

    2. Re:Big deal by gardyloo · · Score: 5, Funny

      Invariant manifolds? You were lucky! We dreamed of invariant manifolds. We had to make do with symplectic diffeomorphisms of the torus, what with its four fixed points, you know, assuming that the eigenvalues of the Jacobi matrix are not equal to minus unity at any point... and we liked it.

  5. Now can we panic? by John.P.Jones · · Score: 4, Funny
    Alas poor SHA-1, I knew him...

    Okay so we still have SHA-256 and SHA-512 but can we really feel good about them?

    Wanted: One reliable hash...

    1. Re:Now can we panic? by MightyMartian · · Score: 4, Funny

      Commit everything to memory, keep a cyanide pill close by and hope like hell that that crazy guy with the tinfoil hat is wrong.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  6. Few Details? No report? No paper? by hoka · · Score: 4, Insightful

    I mean, I'm sure that these guys are the real thing, judging by their past experience breaking SHA-1 and how much notoriety they have. But they have been inconsistent with presenting information. It would be nice to see something thats really solid with information rather than what looks at best like a bit of speculation. Last I checked information on their last attack (2^69) was still pretty thin and I suppose its time to move on to SHA-256 anyways.

  7. Security by bredk · · Score: 5, Funny

    I've just changed away from using SHA-1. Double ROT13 seems most appealing these days. ;)

    --
    http://slashdot.su/
    1. Re:Security by CRCulver · · Score: 5, Funny

      SHA-1 isn't a cipher, it's a hash algorithm. Therefore, it has nothing to do with encryption (like ROT13), but with authentication. Sorry to ruin your little joke, which has become a tired amusement lamely presented in every new Slashdot story on cryptography.

    2. Re:Security by cpeikert · · Score: 5, Funny

      Wait a minute, you don't sound sorry at all!

  8. Re:It's an insurmountable problem. by Krach42 · · Score: 4, Insightful

    Well, the method for "DNA-printing" a file would have to allow for the complete recreation of the file from the DNA-printing.

    This has been actually done for a long time, it's called "file compression".

    --

    I am unamerican, and proud of it!
  9. Re:Two questions... by Anonymous Coward · · Score: 5, Insightful

    I think that the greatest threat in this case is not terrorists but the institutions such as government and security forces. Terrorists have a great interest in keeping their own transmissions secure but little interest in the communications of others.

    Their tagets are soft, security is fairly low and information can be obtained using people on the street.

    Counterintelligence is a game played by large beauracracies who are at peace at the moment but would really like not to be. It involves the use of large ammounts of resources for the main purpose of maintaining the status quo. Terrorists are not interested in the status quo, they want things to change.

  10. RFC4109 by fwr · · Score: 4, Interesting

    I wonder how this will effect RFC 4109 in that it depreciates MD5 in favor of SHA1. Does this mean that SHA1, at 2^63 is less secure than MD5 at a brute-force 2^64? I'm not a crypto expert or anything, just asking the question; will this effect the proposed standard for the HASH algorithm used in IPsec?

    1. Re:RFC4109 by SquadBoy · · Score: 4, Insightful

      It does have implications for IPsec but the main question you are starting from the wrong place. The first question you should be asking youself is "Who is my enemy?". For the sake of this discussion let's assume the worst and go with the NSA.

      The next thing you should be asking yourself is "What am I protecting?" Since we are assuming that the NSA is your enemy let's go ahead and say that you want to blow up rather large and expensive things that the USian .gov would really rather you not blow up.

      And the last factor is "How long do I want to keep this secret?"

      For the sake of argument let's assume that the NSA can do twice as well as any known attack. Given all of that if the answer to the last question is "years" you have something to worry about. If it is months you very likely have something to worry about. If it is "weeks", "days", or "hours" you are very likely safe.

      So yes at some point in the future if you have a long planning horizon it could matter.

      What this all means is that you want to pay attention to all of this but there is no need to panic. At this point SHA1 is still better than MD5 for most things. So use it, pay attention to it, and most of all you might want to evalute what traffic you are passing. I've *always* been against passing secrets over a IPSec tunnel with a lifetime of more than a few months. This is simply because, IMO, IPsec is too complex to ever be safe over a long planning horizon. I'm in pretty damn good company here.

      So pay attention and be ready to change when things change. And they *will* change. And I would not send anything that has a long lifetime over the wire.

      http://www.schneier.com/paper-ipsec.html

      --

      Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
    2. Re:RFC4109 by mre5565 · · Score: 4, Informative
      I wonder how this will effect RFC 4109 in that it depreciates MD5 in favor of SHA1. Does this mean that SHA1, at 2^63 is less secure than MD5 at a brute-force 2^64? I'm not a crypto expert or anything, just asking the question; will this effect the proposed standard for the HASH algorithm used in IPsec?
      First there are already attacks on MD5 that are less than O(2^64) which don't involve brute force.

      Second, RFC 4109 refers to the HMAC algorithms used for computing per packet integrity checksum that is resistant to tampering by a man in the middle. HMACs take as input both a known message and a shared secret (often, a session key for a symmetric key algorithm like DES, triple DES, AES, RC4, etc) and compute hash result ( MD5, or SHA1, or SHA-256, etc. ). In other words, part of the input to the hash algorithm is unknown. This makes it very difficult to find two messages, X and Y that compute the same HMAC. I.e. find X and Y such that HMAC(X, K) == HMAC(Y, K), where K is the shared secret. The attacks on MD5 and SHA-1 so far assume that there is no K, or if there is, it is known. And if the man in the middle knows K, he doesn't need to use these new cool attacks to tamper with messages; he's the man in the middle, he just tampers and re-computes the HMAC with far less computational overhead.

      I've see no indication in Schneir's blog entry that these attacks break HMACs.

      That said, it is surprising that SHA-256 wasn't added to the MUST list for RFC4109, given that when this RFC was published, it was known that SHA1 had be shown to be vulnerable to attacks of less than O(2^69). But then again, the RFC also mentions AES128 as MUST, but not AES256. Odd.

  11. Re:i'll never understand why... by Hack+Jandy · · Score: 4, Funny

    I'd rather the NSA found the exploits...

    The NSA did this six years ago. Just pick up any phone and ask them.

    HJ

  12. Anonymous "team of Chinese cryptographers" by clap_hands · · Score: 5, Insightful
    Have you ever noticed how you never hear the names of these Chinese researchers...Professor Xiaoyun Wang and her colleagues (for SHA-1, Yiqun Lisa Yin and Hongbo Yu) have broken the greater share of the popular hash functions: MD4, MD5, SHA-0, SHA-1, RIPEMD...and the only name that gets mentioned is "Bruce Schneier reports that Chinese cryptographers...". Not to belittle Schneier, but what these anonymous "Chinese cryptographers" have achieved is exceedingly significant in the field of cryptography, and the least we can do is mention their names occasionally, right?

    Even if they are unpronouncable ;-)

    1. Re:Anonymous "team of Chinese cryptographers" by bigberk · · Score: 4, Insightful

      NO! They're merely Chinese. Foreigners are scary. USA is home to innovation and research. Dark people should be shot 5 times in the head. etc. The sarcasm is deliberate!

  13. Visa problems for the authors by clap_hands · · Score: 4, Informative

    Two of the Chinese researchers (Xiaoyun Wang and Hongbo Yu) were due to present their SHA results at the CRYPTO 2005 conference in the US, but were denied visas in time to attend. Adi Shamir (the A in RSA) ended up announcing this latest result on their behalf.
          http://cipher-text.blogspot.com/2005/08/visas-for- chinese-crypto-researchers.html

    1. Re:Visa problems for the authors by clap_hands · · Score: 4, Informative

      Oh, I must be tired: Shamir is, of course, the *S* in RSA. Crikey.

  14. SHA-1 is still good for a lot of applications by greenrom · · Score: 4, Interesting

    While this finding definitely shows a weakness in the SHA algorithm, it isn't a weakness that makes most applications that use SHA any more vulnerable. They found a way to generate two texts that produce the same hash using an algorithm with a time complexity of 2^63 instead of 2^80 as would be required for a brute force attack. However, being able to generate two texts that produce the same hash won't help you exploit most systems that rely on SHA. If someone finds a way to generate text that produces a SPECIFIED hash in 2^63 time, then there's reason to be concerned. However, since these findings show that SHA-1 has some weaknesses, it's probably time to start looking for a better hashing algorithm before a more serious vulnerability is found.

  15. Well that would assume a few things by Sycraft-fu · · Score: 4, Insightful

    #1) That the NSA has better cryptologists than everyone else. Remember AES was widely reviewed before becomming an accepted standard, and not just by US researchers. Top experts from all over the globe looked at it, an decided it was secure. So for the NSA to know a weakness, means that they have experts beyond all others combined.

    #2) They are very ballsy, and very certian that no one will find those exploits. The US government uses AES for secret and top secret data. It would be amazingly arrogant to know how to crack the crypto, and yet to still use it for the most secure documents.

    #3) They are willing to trust that the authors, two foriegners (Dr. Daemen and Dr. Rijmen are Belgian) were unaware of this exploit. Remember that if an exploit was found, it is always possible the authors knew, and intended that they'd be able to use it.

    It thus seems EXTREMELY unlikely that the NSA would know of a crack for AES and simply be sitting on it. It would put a great deal of incerdibly sensistive government data at risk, as well as US economic intrests.

    No, what seems far more likley is that the US government came to the realization that strong crypto is widely available outside the US, and thus is makes no sense to try and restrict it from the public as it would only serve to give other nations an advantage.

    So no, I don't believe AES is strong because the NSA is strong, though I respect their opinon to a great degree, I believe it's strong because the world cryptography community believes it is.

    To date there have been two proposed attacks. One is called the XSL attack. It's not an actual break, simply something that would in theory make it easier to brute force, but still well out of the realm of possibility. More, the math behind it is suspect, it may not even be workable at all. Then there was teh cache timing attack. It does work, but required a special SSL server that gave out as much timing information as possible, and 200 million known plaintext bytes. Nifty, but not practical in the real world.

  16. "Freeform" collision by Gadzinka · · Score: 4, Interesting

    What no one seems to mention is that their attack finds "freeform" collisions. I mean, they go and find two plaintexts with the same hash. I wouldn't worry about it until they find 2^63 attack against given plaintext/hash.

    You can read about the distinction in Birthday Paradox article on Wikipedia. In short, when the difficulty of finding collision against a given message is 2^n, the difficulty of finding any two colliding plaintexts is 2^(n/2).

    So, while they may have found 2^63 attack against SHA-1, it is still a "birthday attack", and to find collision against my message signed with sha-1 the attack would still be 2^126.

    Or did I miss something?

    Robert

    --
    Bastard Operator From 193.219.28.162