Forgot your password?
typodupeerror

Chinese Prof Cracks SHA-1 Data Encryption Scheme 416

Posted by Zonk
from the mad-math dept.
Hades1010 writes to mention an article in the Epoch Times (a Chinese newspaper) about a brilliant Chinese professor who has cracked her fifth encryption scheme in ten years. This one's a doozy, too: she and her team have taken out the SHA-1 scheme, which includes the (highly thought of) MD5 algorithm. As a result, the U.S. government and major corporations will cease using the scheme within the next few years. From the article: " These two main algorithms are currently the crucial technology that electronic signatures and many other password securities use throughout the international community. They are widely used in banking, securities, and e-commerce. SHA-1 has been recognized as the cornerstone for modern Internet security. According to the article, in the early stages of Wang's research, there were other data encryption researchers who tried to crack it. However, none of them succeeded. This is why in 15 years Hash research had become the domain of hopeless research in many scientists' minds. "
This discussion has been archived. No new comments can be posted.

Chinese Prof Cracks SHA-1 Data Encryption Scheme

Comments Filter:
  • How long until... (Score:4, Interesting)

    by dada21 (163177) * <adam.dada@gmail.com> on Saturday January 20, 2007 @04:40PM (#17696648) Homepage Journal
    ...the State Department decides this is considered a terrorist activity and finds a way to make it law/international treaty that this is abolished? Honestly, I can see the out-of-whack State security thugs deciding that this is an act of war.

    I'm a big fan of teams like this in unraveling the security defects out there -- giving others more reason to make more secure schemes. I'd love to know how one can finance these groups (legally?). What does her group specifically gain from all this labor? Who pays for them?
    • Re: (Score:3, Insightful)

      by fyngyrz (762201) *

      We gain the obvious: The more we know, the better off we are. All science contributes to rolling back the veil of the unknown, and (eventually) almost all science benefits us. Encryption research is no exception. Suppressing research in favor of the dogma of the day is old-school religious thinking. Not a good way to go.

      Besides; my suspicion is that if she's gone and cracked it, the odds are at least reasonable that the NSA and crew already had, anyway — it's not like they would tell us if they ha

      • by Anonymous Coward on Saturday January 20, 2007 @04:54PM (#17696764)
        Besides; my suspicion is that if she's gone and cracked it, the odds are at least reasonable that the NSA and crew already had

        Not necessarily. There are often times when major leaps like this are made because of the efforts of one exceptionally brilliant person. It doesn't matter if you have whole teams of really smart people working on a problem, because this one person will come along and break the field open in a new way. That seems to be what's happened here.
        • by symbolic (11752) on Saturday January 20, 2007 @06:22PM (#17697290)
          And I hear that Microsoft is still looking for that one person.
          • Re: (Score:3, Funny)

            by ray-auch (454705)
            well seeing how big and successful they've become _without_ him/her, I'd really rather they never found them...
        • Not so fast. (Score:5, Interesting)

          by BrokenHalo (565198) on Saturday January 20, 2007 @07:14PM (#17697582)
          TFA refers to its own source as the New Scientist. A quick search there reveals the article in question [newscientisttech.com] is dated February 2005. So I guess this should probably come under "oldnews", but in any case the NSA had had plenty of time to play with it.

          What concerns me is that in the last two years I've heard no news about a replacement for SHA-1. Maybe every's hoping that if they ignore the problem, it'll go away.
          • Re:Not so fast. (Score:4, Informative)

            by wherrera (235520) on Saturday January 20, 2007 @08:28PM (#17698058) Journal
            There are actually several SHA-1 replacements out there, including SHA-224, SHA-256, SHA-384, and SHA-512. None cracked yet. And for just creating a signature-bound digest of a text that is then acted upon by a more secure scheme, like 2048 bit RSA, SHA-1 is still fine. An attacker in that case would generally need the private RSA key to just get to the point he could start cracking the SHA1 digest :).

            • Re:Not so fast. (Score:5, Informative)

              by kasperd (592156) on Sunday January 21, 2007 @07:27AM (#17701048) Homepage Journal
              I wonder why a comment with two thirds of misinformation gets rated Informative.

              There are actually several SHA-1 replacements out there, including SHA-224, SHA-256, SHA-384, and SHA-512.
              True.

              None cracked yet.
              Also true AFAIK. I have not heard of anyone breaking those. But I must admit, I don't know if the weaknesses found ind SHA-1 applies to other variants of SHA as well.

              And for just creating a signature-bound digest of a text that is then acted upon by a more secure scheme, like 2048 bit RSA, SHA-1 is still fine. An attacker in that case would generally need the private RSA key to just get to the point he could start cracking the SHA1 digest :).
              You are completely mistaken about this part. A chain is not stronger than the weakest link. If you do signatures using SHA-1 and RSA, only one of the two has to be broken to forge a signature. When you sign a message, you put a signature on the output of the hash. If anybody can find another message with the same hash, they can simply put together your signature with the other message, and it will be a valid signature on a message you had never seen.

              What could save you is the fact that there are different degrees of brokenness for a hash function. There are three kinds of common attacks to attempt on a hash function. The easiest one is to just generate a collision where you get to choose both messages. Next comes the problem of generating a collision where you are given one of the messages. Finally the hardest case is to be given a hash value and having to generate a message with that hash without having already an example of how to reach that hash value.

              For MD5 an actual collision has been found, but still now algorithm to find a collision with an arbitrary message. For SHA1 there is AFAIK only demonstrated weaknesses. I have yet to see an actual SHA1 collision.

              For signatures it might not be considered enough to just find a collision, after all you have to match the hash of a message, which was already signed. But even though you might feel secure, there are some things to worry about. First of all, once a technique to find collisions have been found, it only takes a little extra work to generate meaningful collisions. This is obvious to people with sufficient knowledge of the field, but a wouldn't believe this until it was actually demonstrated. With MD5 it has been demonstrated how to take two arbitrary plaintext files and from those generating two postscript files containing the two different texts but the same hash. Postscript was obviously chosen because the format contains a Turing complete language and thus was an easy target. But even simpler formats might be targeted with some additional work.

              Consider the following scenario you send a signed email to somebody. You receive a reply saying something like "thank you for your email, but we need the signature on a postscript version, could you please sign the attached file?", and you find attached a postscript file containing the exact text you originally wrote. Would you sign that postscript file?
          • Re:Not so fast. (Score:5, Informative)

            by Simon Garlick (104721) on Saturday January 20, 2007 @10:22PM (#17698650)
            What concerns me is that in the last two years I've heard no news about a replacement for SHA-1.

            WTF? Have you been living in a cave or something?

            Crypto mailing lists, newsgroups, and discussion forums talked about almost nothing else for about six months following the announcement that SHA-1 had been broken.

            Even the US government, which moves at the speed of a glacier, proposed replacements for SHA-1 in FIPS back in March last year.

            http://csrc.nist.gov/publications/drafts.html [nist.gov]
        • NSA (Score:3, Interesting)

          by Mark_MF-WN (678030)
          People do seem to give the NSA a little too much credit. I mean, this is a group whose main claims to fame are that they own the world's largest incinerator, that they can spy on hundreds of millions of people that haven't done anything, and that they lack the manpower to actually check more than a tiny fraction of the surveillance they've done.

          Any big group that operates as part of a government, particularly a government as enormous as that of the USA, WITHOUT extensive public oversight, will be hopeles

          • Re: (Score:3, Insightful)

            by ultranova (717540)

            * Doofuses? Just look how well that has worked out for their feelow Muslims... their 70 virgins are probably going to turn out to be 70 desperate truckers with a taste for the dark meat...

            You are making an incorrect assumption here: that the purpose of Osama was to benefit his fellow muslims. It was not. It was to destroy the "infidels" (meaning every non-muslim, but especially the USA). The way to do that (in his mind) is to start a jihad, a holy war. Now which one is more likely to throw their life aw

      • by myowntrueself (607117) on Saturday January 20, 2007 @05:19PM (#17696960)
        We gain the obvious: The more we know, the better off we are.

        You never read any H.P Lovecraft then...

        • Re: (Score:3, Funny)

          by brunson (91995)
          Last time I checked Lovecraft wrote fiction. And crappy fiction, at that.
        • by jd (1658)
          We know Cthulhu turns into a mist (Call of Cthulhu), we know he can't pass the elder sign and we know that the Chinese can etch entire names onto grains of rice. So, if we hire the entire of China to etch elder signs onto the sand used to make cement, summon Cthulhu into a flooded cavern, run a boat through him, then flood the cavern with the modified cement, you can prevent him reforming and eventually he'll go insane.

          Oh.

    • Re: (Score:3, Insightful)

      by Instine (963303)
      Like most things there, I'm guessing (tho this could well be very predjudist) that the Government pays... But she has done anyone who banks online a favour, by showing the flaw in the system. It would be naive to think that only she would ever crack it. What is interesting is that she has made it public knowledge that she has cracked it. This is probably China flexing its IT knowhow muscles a little. Not in such a threatening way, but a "look at the level at which we can play" kind of way. And no! This is n
    • Re: (Score:3, Interesting)

      by Workaphobia (931620)
      I think there's a difference in the way the government would treat someone who finds a critical vulnerability in an otherwise secure system, and someone who find just another practical exploit in an inherently insecure system.

      The reason businesses and governments don't appreciate the work of some Joe Researcher who finds another buffer overflow vulnerability is that they are a dime a dozen and impossible to eliminate entirely, so rather than go after the bug they go after the guys who find and publish them.
    • by Kadin2048 (468275) <slashdot.kadin@NOSpAm.xoxy.net> on Saturday January 20, 2007 @05:33PM (#17697030) Homepage Journal
      Here's what you really need to look out for: what's the NSA's reaction?

      In the past, it was widely understood that the NSA was well ahead of the private sector in terms of both encryption and decryption. During the 70s and 80s, the private sector basically closed the "encryption gap" and produced some ciphers that (at least most people suspect) are as secure as those used by the NSA.

      What's still an open question, is how far ahead the NSA is of the private/corporate sector in terms of breaking other people's ciphers.

      Depending on the NSA's reaction, it might be possible to know whether or not this break was anticipated. If they're using SHA-1 internally, one can assume they didn't know about this discovery already, and they've fallen behind of the position many folks assumed they had. If they just shrug and smile, then they may have already known about this (and possibly been using it) for some time now.
      • by antirelic (1030688) on Saturday January 20, 2007 @06:05PM (#17697216) Journal
        Thats making a huge assumption that the NSA or any other organisation relies heavily on "one particular encryption mechanism" to transmit information. The industry has moved its focus away from relying on more powerful encryption schemes to more difficult to intercept transmition methods such as http://www.laser2laser.co.nz/laser_products.htm [laser2laser.co.nz] . There is no particular piece of the puzzle that makes a network or data more secure. Believing this is a major "shake up" or is going to cause a "major reaction" shows a lack of understanding about security on the part of the person making the speculation.
  • Old (Score:5, Informative)

    by suso (153703) * on Saturday January 20, 2007 @04:40PM (#17696656) Homepage Journal
    It looks like she did this almost 2 years ago. So why is this being announced now?
    • Re:Old (Score:5, Funny)

      by Anonymous Coward on Saturday January 20, 2007 @04:47PM (#17696712)
      It looks like she did this almost 2 years ago. So why is this being announced now?


      Because China now uses anti-satellite weapons now, so we have to "up" the evil-status a bit.


      Next week, we'll hear that this same prof has some pirated DVDs


    • In the international political chess match what you know is as important as how and when you knew it.
      The fact that this comes out now is either a) a human screw-up, b) an general admission of what has long been obvious to those 'in the know', c) stealth advertising to score some more encryption funding for other researchers, or d) a blend of a-c.
    • Re:Old (Score:5, Informative)

      by fatphil (181876) on Saturday January 20, 2007 @05:05PM (#17696846) Homepage
      It was even on Slashdot back in 2004, IIRC. But heck, this is slashdot

      Here are Wang's papers on cracking hashes, which show the age of the cracks, from her webpage:

      1)Xiaoyun Wang1, Hongbo Yu, Yiqun Lisa Yin, Efficient Collision Search Attacks on SHA-0,Crypto'05.
      2)Xiaoyun Wang, Yiqun Yin, Hongbo Yu, Finding Collisions in the Full SHA-1,Crypto'05.
      3)Xiaoyun Wang, Yiqun Yin, Hongbo Yu, Collision Search Attacks on SHA1,2005.
      4)Arjen Lenstra, Xiaoyun Wang,Benne de Weger, Colliding X.509 Certificates, E-print 2005.
      5)Xiaoyun Wang, Collisions for Hash Functions MD4, MD5,HAVAL-128 and RIPEMD,Crypto'04,E-print.
      6) X. Y. Wang, X. J. Lai etc, Cryptanalysis of the Hash Functions MD4 and RIPEMD, Eurocrypto&#8217;05.
      7) X. Y. Wang, Hongbo Yu, How to Break MD5 and Other Hash Functions, Eurocrypto&#8217;05.

      I believe in crypto 2004 she was given a standing ovation for her presentation, which is almost unheard of in the ultra-competative world of crypto.

    • by bcrowell (177657)

      So why is this being announced now?
      Because the /. editors don't care?

      It looks like she did this almost 2 years ago.
      Given that the problems with SHA1 started showing up that long ago, it's very disappointing that so little progress has been made in converting to stronger algorithms. I have a perl application that used to use SHA1 for watermarking, and when the problems started showing up, I decided to go ahead and switch to Whirlpool as my hashing algorithm. In all that intervening time, however, the

    • by Original Replica (908688) on Saturday January 20, 2007 @05:16PM (#17696950) Journal
      All your bank, are belong to us.
  • by qbwiz (87077) * <johnNO@SPAMbaumanfamily.com> on Saturday January 20, 2007 @04:42PM (#17696672) Homepage
    Aside from confusing hashing with real encryption, and saying that MD5 is part of SHA-1, isn't this article just repeating what was covered in these [slashdot.org] two [slashdot.org] slashdot stories?
  • What? (Score:5, Informative)

    by jrockway (229604) <jon-nospam@jrock.us> on Saturday January 20, 2007 @04:44PM (#17696688) Homepage Journal
    The article doesn't make sense. There are no technical details and SHA-1 is a cryptographic digest algorithm, not an encryption algorithm. AES is what everyone uses for encryption now -- message digests are used for signatures. Important, yes, but encryption hasn't been rendered useless.

    They also use the word "online" too many times for me to take them seriously. The implication is that because the professor broke SHA 1 that my online bank account is going to be drained. Not likely.
    • Agreed. The author is obviously not well versed in the area of cryptography. A quick trip to Wikipedia [wikipedia.org] would be advisable.
    • They also use the word "online" too many times for me to take them seriously. The implication is that because the professor broke SHA 1 that my online bank account is going to be drained. Not likely.

      The use of the word "online" reminds the reader that data security over an untrusted network is a much less mature field than physical security.

    • Without bothering to read the article, I will point out that as far as your bank is concerned, digest algorithms protect SSL negotiation in general and the key exchange in particular. A worst-case break in SHA-1 and MD5 can negate the protections provided by RSA and AES.
      • by hal9000(jr) (316943) on Saturday January 20, 2007 @05:44PM (#17697090)
        Having read the article adn having a cursory understanding of secure hashing, when used with SSL, the chances of this break being useable is very, very unlikely because even assuming an attacker could get in the middle, they would still have to calculate the collision in near real time. Wiht hashes, generating a collision is the "break."

        This may be a bigger issue with long term storage like e-signing a contract.

        • Re: (Score:3, Informative)

          by fwr (69372)
          This is all blown out of proportion, because the finding of another plaintext that generates the same hash will almost always be useless anyway. For example, a hash function, like MD5 or SHA1 (which are not encryption algorithms) may generate a hash code of 123456 for the plaintext:

          This is a message from Me to You, send me some $$$!

          If there was a weakness in the hash function you may be able to find another plaintext that generates the same hash code, for instance, the hash function may also return a code
    • The implication is that because the professor broke SHA 1 that my online bank account is going to be drained. Not likely.

      Yup, $23.71. You're right. Barely covers the cost of the CPU time.

  • News for nerds? (Score:5, Insightful)

    by Toveling (834894) * on Saturday January 20, 2007 @04:45PM (#17696692)
    This article is completely devoid of any real content. It just says she "cracked it" over and over, not explaining whether a crack is a collision, preimage, or other attack. It also seems technically inaccurate, saying that SHA-1 'includes' MD5? I know that no one RTFA, but c'mon, at least cover for a crappy article by having a good summary: this story has neither.
  • Okay, I started to read TFA...

    According to a Beijing digest, this SHA-1 encryption includes the world's gold standard Message-Digest algorithm 5 (MD5). Before Professor Wang cracked it, the MD5 could only be deciphered by today's fastest supercomputer running codes for more than a million years.

    Overlooking the fact that a hash function does NOT equal "encryption", the above-quoted paragraph goes far beyond word choice and grammar errors, and appears outright factually... Well, not "wrong" so much as "co

    • by Anonymous Coward on Saturday January 20, 2007 @05:35PM (#17697040)
      This appears to be the professors website:

      http://www.infosec.sdu.edu.cn/people/wangxiaoyun.h tm [sdu.edu.cn]

      The details on the hash collision can be found in the following papers:

      Xiaoyun Wang, Yiqun Yin, Hongbo Yu, Finding Collisions in the Full SHA-1,Crypto'05
      http://www.infosec.sdu.edu.cn/paper/Finding%20Coll isions%20in%20the%20Full%20SHA-1.pdf [sdu.edu.cn]

      Xiaoyun Wang, Yiqun Yin, Hongbo Yu, Collision Search Attacks on SHA1,2005
      http://www.infosec.sdu.edu.cn/paper/Collision%20Se arch%20Attacks%20on%20SHA1.pdf [sdu.edu.cn]

      She has also previously found methods for collisions in X.509, MD4/MD5, HAVAL-128, RIPEMD and SHA-0.

      However, the problem is not entirely the algorithms, there will always be collisions on hashing algorithms, if you could represent an infinite amount of data in 160/128/whatever bits then there would be no point in having 161/129/whatever bits, the fact that your hard drive is much larger than that is a testament that collisions in any type of algorithm where you try to uniquely represent X bits in Y bits (where X > Y) (Yes I realize this is a somewhat oversimplified exaplantion).

      The problem is in the paradigm in which these algorithms get used, 'one hash to represent them all' is a broken mentality, use multiple hashing algorithms when it matters, while it is indeed possible that the same data can cause a collision in all of the employed algorithms, its incredibly unlikely and AFAIK no one has created a PoC where two sets of data produce the same checksum in both md4 and sha-0.
  • by cpuh0g (839926) on Saturday January 20, 2007 @04:51PM (#17696740)
    Repeat after me: A hash algorithm is NOT encryption.

    The original article is full of misstatements like this doozy:
    this SHA-1 encryption includes the world's gold standard Message-Digest algorithm 5 (MD5). Before Professor Wang cracked it, the MD5 could only be deciphered by today's fastest supercomputer running codes for more than a million years.

    SHA-1 is NOT encryption, and it certainly doesn't "include" MD5. They are 2 completely different hashing algorithms. Hash algorithms are not "deciphered". Neither of them has been "cracked". They have been found, in theory, to not be as collision-proof as previously thought, but noone has yet found a way to take one block of data and modify it such that it would have an identical hash signature as the original. Both are merely found to be not quite as collision-proof (the most important thing for any hashing algorithm) as previously thought. This is old news.

    The original article blows and contains no useful information whatsoever, it was written by someone who hasn't the faintest hint of knowledge about cryptography or mathematics in general.

    • For that matter, MD5 hasn't been the gold standard in several years, even before the MD5 weaknesses came to light. That it is one of the most commonly used hashing algorithms doesn't make it the gold standard.
    • Re: (Score:2, Insightful)

      by iion_tichy (643234)
      "Repeat after me: A hash algorithm is NOT encryption."

      Not entirely correct, though. The thing is that many crypotgraphyc "processes" rely on fingerprints of documents (as one signs the fingerprint rather than the whole document and stuff like that). So I think many current protocols would be affected. It's perhaps not encryption in a mathematical sense, but in a practical sense.

      Nevertheless the article was crap, it doesn't even say in what way SHA-1 was broken (making it impossible to judge the severity).
  • Makes me wonder (Score:3, Interesting)

    by xigxag (167441) on Saturday January 20, 2007 @04:58PM (#17696796)
    Makes me wonder just how much trouble the US or international financial community would be in if an adversarial organization cracked a major security encryption and didn't politely announce it, but instead kept their achievement secret. And then either cracked mountains of banking/military data at a leisurely pace, selling it piecemeal to finance rogue networks OR timed a widespread release of the crack algorithm for a catastrophic hit upon (inter)national security. What steps are being taken to combat this from eventually occurring?
    • The more common approach is to refuse to allow robust encryption, forcing local companies to use weak ciphers or to only permit robust encryption and authentication tools where the key can be obtained trivially by the government. This has certainly been done by the NSA for decades, with their old unconstitutional interference with exporting encryption technologies, with their Skipjack encryption authorized for use in cell phones and digital communications, and with the new Trusted Computing initiative led b
  • by johncalltwo (521360) on Saturday January 20, 2007 @05:01PM (#17696816)
    Gung'f jul V arire hfr nal bs gubfr arjsnatyrq rapelcgvba fpurzrf, guvf bar jbexf, naq fur jvyy arire jevgr n negvpyr ba oernxvat vg.
  • Epoch Times (Score:5, Informative)

    by rh2600 (530311) on Saturday January 20, 2007 @05:06PM (#17696852) Homepage
    The Epoch times is a strange newspaper (http://en.wikipedia.org/wiki/The_Epoch_Times) - it seems to be an anti-establishment periodical with lots of fluff stories about people living in China and articles on the Falun gong movement (http://en.wikipedia.org/wiki/Falun_Gong)..

    Far from being a Chinese newspaper it's actually published out of New York, and you might see (Chinese) people handing out copies on the street in your country (I see them in NZ from time to time).

    So yeah, it wouldn't surprise me if the article was vague... I'd take it all with a grain of salt.
  • But they are certainly weak against attacks using rainbowtables. Both algorithms should be tossed into the bit bucket for something a little more secure. New services including Hashbreaker, Schmoo, freerainbowtables etc show how easy it is to brute force using rainbowtables. RE: http://www.hashbreaker.com/ [hashbreaker.com] and distributed rainbowtable generation http://hashbreaker.com:8700/ [hashbreaker.com] http://wired.s6n.com/files/jathias/ [s6n.com] http://www.freerainbowtables.com/index-rainbowtabl es-distributed.html/ [freerainbowtables.com] http://www.darknet.org.u [darknet.org.uk]
  • by gessel (310103) * on Saturday January 20, 2007 @05:10PM (#17696900) Homepage
    From the original article cited by the epoch times article (at the moment /.ed)

    Busted! A crisis in cryptography [newscientisttech.com]

    "LAST year, I walked away saying thank God she didn't get a break in SHA-1," says William Burr. "Well, now she has." Burr, a cryptographer at the National Institute of Standards and Technology in Gaithersburg, Maryland, is talking about Xiaoyun Wang, a Chinese cryptographer with a formidable knack for breaking things. Last year Wang, now at Tsinghua University in Beijing, stunned the cryptographic community by breaking a widely used computer security formula called MD5. This year, to Burr's dismay, she went further. Much further."

    cute... [ningning.org]
  • by arevos (659374) on Saturday January 20, 2007 @05:12PM (#17696916) Homepage
    I took a look at the Google Cache [209.85.135.104] of the article, and it would appear this is old news. This is the collision attack first found back in February 2005, which requires fewer than 2^69 operations, rather than the 2^80 operations a brute force approach would need (see Wikipedia [wikipedia.org] and Bruce Schneider's Blog [schneier.com]). According to Wikipedia, this was later improved so that fewer than 2^63 operations were needed.

    In other words, this attack is 2^17, or 131,072 times faster than brute forcing the hash, and from what I've read, this is considered pretty impressive stuff. That said, crypto researchers have known for a while that SHA-1 is on its last legs. From Schneider's blog in February, 2005:

    Jon Callas, PGP's CTO, put it best: "It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off." That's basically what I said last August.
    So there's nothing much to see here, except a sensationalist newspaper article. This has almost certainly been reported before on Slashdot two years ago, so this story probably counts as a dupe.
  • We're been Pwned! I just hope they don't hrack our ID-10-Tee hash algorithm encryption! Then all our base will belong to them!
       
  • A few facts (Score:5, Insightful)

    by Jerry Coffin (824726) on Saturday January 20, 2007 @05:21PM (#17696976)
    For those who care, Bruce Schneier gave some real facts [schneier.com] about the attack on his site a couple of years ago. As he pointed out:

    For the average Internet user, this news is not a cause for panic. No one is going to be breaking digital signatures or reading encrypted messages anytime soon. The electronic world is no less secure after these announcements than it was before.

    A short note [mit.edu] about the attack has been available for a couple of years as well. The note shows collisions for two different reduced versions of SHA-1.

    Though it's not absolutely certain, my guess is that the reality behind the new announcement is that they've actually found a collision for the full version of SHA-1, and possibly for MD-5 as well. OTOH, maybe the mention of MD-5 is just a journalist's hashed (no pun intended) version of the fact that SHA-1 is based closely enough on MD-5 that an algorithm that's successful against SHA-1 will probably be effective with respect to MD-5 as well.

  • Wrong, wrong, wrong. (Score:5, Informative)

    by MadMidnightBomber (894759) on Saturday January 20, 2007 @07:19PM (#17697616)

    "According to a Beijing digest, this SHA-1 encryption includes the world's gold standard Message-Digest algorithm 5 (MD5)."

    Where do I start? SHA-1 stands for 'Secure Hash Algorithm 1' and is not an encryption scheme. Neither does it include MD5 which is a completely different hash (or message digest) algorithm.

    See Schneier - http://www.schneier.com/blog/archives/2005/02/sha1 _broken.html [schneier.com] and http://www.schneier.com/blog/archives/2005/02/cryp tanalysis_o.html [schneier.com] for actual coverage of the break. "They can find collisions in SHA-1 in 2**69 calculations, about 2,000 times faster than brute force. Right now, that is just on the far edge of feasibility with current technology. Two comparable massive computations illustrate that point." That's down from 2**80, so it's a concern, but not exactly the end of the world.

    New apps being written should probably be using SHA-256 (256 bits) rather than with SHA1 (160 bits only).

  • by Aging_Newbie (16932) * on Sunday January 21, 2007 @03:22PM (#17703950)
    PC World commented on the issue [pcworld.com] in 2005
    Also Bruce Schneier [schneier.com] wrote about it back then.

    I guess it takes a while for the US government and Microsoft, et al to take action on the news.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (2) Thank you for your generous donation, Mr. Wirth.

Working...