Chinese Prof Cracks SHA-1 Data Encryption Scheme

Hades1010 writes to mention an article in the Epoch Times (a Chinese newspaper) about a brilliant Chinese professor who has cracked her fifth encryption scheme in ten years. This one's a doozy, too: she and her team have taken out the SHA-1 scheme, which includes the (highly thought of) MD5 algorithm. As a result, the U.S. government and major corporations will cease using the scheme within the next few years. From the article: " These two main algorithms are currently the crucial technology that electronic signatures and many other password securities use throughout the international community. They are widely used in banking, securities, and e-commerce. SHA-1 has been recognized as the cornerstone for modern Internet security. According to the article, in the early stages of Wang's research, there were other data encryption researchers who tried to crack it. However, none of them succeeded. This is why in 15 years Hash research had become the domain of hopeless research in many scientists' minds. "

Old

[suso]

It looks like she did this almost 2 years ago. So why is this being announced now?

Slashdot editors are idiots.

[Anonymous Coward]

SHA-1 is a hash algorithm, not an encryption algorithm. Achieve competence or quit.

Article is a bit confused

[qbwiz]

Aside from confusing hashing with real encryption, and saying that MD5 is part of SHA-1, isn't this article just repeating what was covered in these [slashdot.org] two [slashdot.org] slashdot stories?

What?

[jrockway]

The article doesn't make sense. There are no technical details and SHA-1 is a cryptographic digest algorithm, not an encryption algorithm. AES is what everyone uses for encryption now -- message digests are used for signatures. Important, yes, but encryption hasn't been rendered useless.

They also use the word "online" too many times for me to take them seriously. The implication is that because the professor broke SHA 1 that my online bank account is going to be drained. Not likely.

Hashing != Encryption

[cpuh0g]

Repeat after me: A hash algorithm is NOT encryption.

The original article is full of misstatements like this doozy:
this SHA-1 encryption includes the world's gold standard Message-Digest algorithm 5 (MD5). Before Professor Wang cracked it, the MD5 could only be deciphered by today's fastest supercomputer running codes for more than a million years.

SHA-1 is NOT encryption, and it certainly doesn't "include" MD5. They are 2 completely different hashing algorithms. Hash algorithms are not "deciphered". Neither of them has been "cracked". They have been found, in theory, to not be as collision-proof as previously thought, but noone has yet found a way to take one block of data and modify it such that it would have an identical hash signature as the original. Both are merely found to be not quite as collision-proof (the most important thing for any hashing algorithm) as previously thought. This is old news.

The original article blows and contains no useful information whatsoever, it was written by someone who hasn't the faintest hint of knowledge about cryptography or mathematics in general.

Re:Old

[fatphil]

It was even on Slashdot back in 2004, IIRC. But heck, this is slashdot

Here are Wang's papers on cracking hashes, which show the age of the cracks, from her webpage:

1)Xiaoyun Wang1, Hongbo Yu, Yiqun Lisa Yin, Efficient Collision Search Attacks on SHA-0,Crypto'05.
2)Xiaoyun Wang, Yiqun Yin, Hongbo Yu, Finding Collisions in the Full SHA-1,Crypto'05.
3)Xiaoyun Wang, Yiqun Yin, Hongbo Yu, Collision Search Attacks on SHA1,2005.
4)Arjen Lenstra, Xiaoyun Wang,Benne de Weger, Colliding X.509 Certificates, E-print 2005.
5)Xiaoyun Wang, Collisions for Hash Functions MD4, MD5,HAVAL-128 and RIPEMD,Crypto'04,E-print.
6) X. Y. Wang, X. J. Lai etc, Cryptanalysis of the Hash Functions MD4 and RIPEMD, Eurocrypto’05.
7) X. Y. Wang, Hongbo Yu, How to Break MD5 and Other Hash Functions, Eurocrypto’05.

I believe in crypto 2004 she was given a standing ovation for her presentation, which is almost unheard of in the ultra-competative world of crypto.

Epoch Times

[rh2600]

The Epoch times is a strange newspaper (http://en.wikipedia.org/wiki/The_Epoch_Times) - it seems to be an anti-establishment periodical with lots of fluff stories about people living in China and articles on the Falun gong movement (http://en.wikipedia.org/wiki/Falun_Gong)..

Far from being a Chinese newspaper it's actually published out of New York, and you might see (Chinese) people handing out copies on the street in your country (I see them in NZ from time to time).

So yeah, it wouldn't surprise me if the article was vague... I'd take it all with a grain of salt.

Re:How long until...

[Anonymous Coward]

The tenure and high salary is a reward for the years said professor spent doing and publishing meaningful research. Why are you harassing them when they have already provided their talents?

Snuffle

[tepples]

SHA-1 is a hash algorithm, not an encryption algorithm.

Any hash algorithm can be used as a stream cipher: hash the key and take successive values to make a pseudorandom stream, and then XOR it against the plaintext. This is the idea behind Daniel J. Bernstein's Snuffle ciphers [wikipedia.org].

Published in New Scientist 17 December 2005

[gessel]

From the original article cited by the epoch times article (at the moment /.ed)

Busted! A crisis in cryptography [newscientisttech.com]

"LAST year, I walked away saying thank God she didn't get a break in SHA-1," says William Burr. "Well, now she has." Burr, a cryptographer at the National Institute of Standards and Technology in Gaithersburg, Maryland, is talking about Xiaoyun Wang, a Chinese cryptographer with a formidable knack for breaking things. Last year Wang, now at Tsinghua University in Beijing, stunned the cryptographic community by breaking a widely used computer security formula called MD5. This year, to Burr's dismay, she went further. Much further."

cute... [ningning.org]

Further information on the "crack"

[arevos]

I took a look at the Google Cache [209.85.135.104] of the article, and it would appear this is old news. This is the collision attack first found back in February 2005, which requires fewer than 2^69 operations, rather than the 2^80 operations a brute force approach would need (see Wikipedia [wikipedia.org] and Bruce Schneider's Blog [schneier.com]). According to Wikipedia, this was later improved so that fewer than 2^63 operations were needed.

In other words, this attack is 2^17, or 131,072 times faster than brute forcing the hash, and from what I've read, this is considered pretty impressive stuff. That said, crypto researchers have known for a while that SHA-1 is on its last legs. From Schneider's blog in February, 2005:

Jon Callas, PGP's CTO, put it best: "It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off." That's basically what I said last August.

So there's nothing much to see here, except a sensationalist newspaper article. This has almost certainly been reported before on Slashdot two years ago, so this story probably counts as a dupe.

Digest Functions In Relation To Encryption

[tqbf]

Without bothering to read the article, I will point out that as far as your bank is concerned, digest algorithms protect SSL negotiation in general and the key exchange in particular. A worst-case break in SHA-1 and MD5 can negate the protections provided by RSA and AES.

Re:Anyone have a link to a *coherent* translation?

[Anonymous Coward]

This appears to be the professors website:

http://www.infosec.sdu.edu.cn/people/wangxiaoyun.h tm [sdu.edu.cn]

The details on the hash collision can be found in the following papers:

Xiaoyun Wang, Yiqun Yin, Hongbo Yu, Finding Collisions in the Full SHA-1,Crypto'05
http://www.infosec.sdu.edu.cn/paper/Finding%20Coll isions%20in%20the%20Full%20SHA-1.pdf [sdu.edu.cn]

Xiaoyun Wang, Yiqun Yin, Hongbo Yu, Collision Search Attacks on SHA1,2005
http://www.infosec.sdu.edu.cn/paper/Collision%20Se arch%20Attacks%20on%20SHA1.pdf [sdu.edu.cn]

She has also previously found methods for collisions in X.509, MD4/MD5, HAVAL-128, RIPEMD and SHA-0.

However, the problem is not entirely the algorithms, there will always be collisions on hashing algorithms, if you could represent an infinite amount of data in 160/128/whatever bits then there would be no point in having 161/129/whatever bits, the fact that your hard drive is much larger than that is a testament that collisions in any type of algorithm where you try to uniquely represent X bits in Y bits (where X > Y) (Yes I realize this is a somewhat oversimplified exaplantion).

The problem is in the paradigm in which these algorithms get used, 'one hash to represent them all' is a broken mentality, use multiple hashing algorithms when it matters, while it is indeed possible that the same data can cause a collision in all of the employed algorithms, its incredibly unlikely and AFAIK no one has created a PoC where two sets of data produce the same checksum in both md4 and sha-0.

It WAS reported on Slashdot two years ago...

[Pi3141592]

...Here. [slashdot.org]

Incredibly old news. EE Times [eetimes.com] reported on it at the time, correctly referring to SHA-1 as a hashing algorithm, nothing more... by itself, anyway.

Re:Old

[Anonymous Coward]

No, this was announced two years ago in the press, and two years ago on Slashdot.

Re:Old

[slimey_limey]

Nope, the evil bit [wikipedia.org].

Ummm well......

[cmdrbuzz]

Just so you know, SHA-1 is a hash, not an encryption algorithm. You can't really encrypt anything with it because you wouldn't be-able to get the plaintext back. Which is kinda the (one way) point of hashes....

Re:Bullshit propaganda

[lxt518052]

True. Except that Epoch Times is usually full of anti-Chinese propaganda.

It is actually run by the notorious Fa Lun Gong cult. The 'epoch' here refers to the new era the cult is supposed to bring us into, with the leader kind like Jesus. A lot of the stuff on that media, especially the Chinese version, is total crap. Despite its lack of credibility, Epoch Times seems always have quite a lot of money to burn. You can sort of pick up the recent copy FREE at major convenience shops in your local Chinatown, amongst stuff like Jehovah Witness's pamphlets. I even once found copies of both language versions at a community library here in UK.

HERE's the coral cache:

[Bananatree3]

Coral cache here [nyud.net]. Sorry, the original link was from the chinese server.

Re:Old

[Schraegstrichpunkt]

The problem is that you're essentially creating a new hash function, H(x) = SHA1(x) || SHA256(x) || MD5(x), for which collisions can be computed piece-wise. To compute a collision for H(x), you can always start by creating a sequence of MD5 collisions, and see if any of these are also collisions for SHA-1 and SHA-256---which, I imagine, is more likely than you might think, since SHA1, SHA256, and MD5 all use the same basic design (compared to algorithms like Whirlpool). That won't necessarily work with a single hash function like SHA-512.

Re:Old

[Anonymous Coward]

And that is why you shouldn't be doing cryptography. There is a result by Joux that shows cascading multiple hash functions, that is, using fundamentally different hash functions like SHA-1, MD5, Tiger, HAVAL, etc. doesn't give you the security you think it does. If you can find collisions in one, it's not hard to find collisions in all of them. Say you use SHA-1 and MD5 together, where you do something like

SHA1(m) || MD5(m). The resulting output is 128-bits + 160-bits. Even though the output is 288-bits, it really only gives about 2^70ish security, instead of the expected 144-bits of security.

-mattjf

Wrong, wrong, wrong.

[MadMidnightBomber]

"According to a Beijing digest, this SHA-1 encryption includes the world's gold standard Message-Digest algorithm 5 (MD5)."

Where do I start? SHA-1 stands for 'Secure Hash Algorithm 1' and is not an encryption scheme. Neither does it include MD5 which is a completely different hash (or message digest) algorithm.

See Schneier - http://www.schneier.com/blog/archives/2005/02/sha1 _broken.html [schneier.com] and http://www.schneier.com/blog/archives/2005/02/cryp tanalysis_o.html [schneier.com] for actual coverage of the break. "They can find collisions in SHA-1 in 2**69 calculations, about 2,000 times faster than brute force. Right now, that is just on the far edge of feasibility with current technology. Two comparable massive computations illustrate that point." That's down from 2**80, so it's a concern, but not exactly the end of the world.

New apps being written should probably be using SHA-256 (256 bits) rather than with SHA1 (160 bits only).

Re:How long until...

[amRadioHed]

Suppressing research in favor of the dogma of the day is old-school religious thinking

That's exactly his point. Suppressing research [webexhibits.org] in favor of dogma is something the current Administration excels at.

Re: MD5 is broken and should no longer be used

[Omnifarious]

It is relatively easy with MD5. It would probably require less than a week of time on a modern computer, possibly only hours.

If you spent 10 million on an SHA-1 cracking box, it's estimated that it would take about 127 days to find two colliding files.

Here is a PDF that's my source [qut.edu.au] for this information.

An additional problem is that you can embed interesting things in .pdf, .ps or even HTML documents. You could embed both the evil code, and the good code. Then use a colliding block someone found a long time ago to choose between the evil code and the good code. So, once even one collision is found, it's possible to leverage that one collision into all kinds of existing documents because of the block nature of the two algorithms.

I expect that .pdf and .ps documents rarely see code review looking for evil code. So it's quite likely something like this would go compeltely undetected until the evil version was released into the wild causing a ton of confusion and lost time before someone figured out what was wrong.

Re:Not so fast.

[wherrera]

There are actually several SHA-1 replacements out there, including SHA-224, SHA-256, SHA-384, and SHA-512. None cracked yet. And for just creating a signature-bound digest of a text that is then acted upon by a more secure scheme, like 2048 bit RSA, SHA-1 is still fine. An attacker in that case would generally need the private RSA key to just get to the point he could start cracking the SHA1 digest :).

Re:Digest Functions In Relation To Encryption

[fwr]

This is all blown out of proportion, because the finding of another plaintext that generates the same hash will almost always be useless anyway. For example, a hash function, like MD5 or SHA1 (which are not encryption algorithms) may generate a hash code of 123456 for the plaintext:

This is a message from Me to You, send me some $$$!

If there was a weakness in the hash function you may be able to find another plaintext that generates the same hash code, for instance, the hash function may also return a code of 123456 for the plaintext:

fy87dsf5dkjsf75SI5sdfISAfd576fHFKhsudg6%&FDSHf5765 a

Sounds pretty useful doesn't it! I mean, OH My God! They are going to be able to like break into my online bank account now! Yea right. The "duplicate" plaintext that you may find for a given hash code most likely won't even be recognizable, and certainly wouldn't be in a form that would be useful. For instance, a duplicate plaintext with the same hashcode of a TCP/IP frame wouldn't likely even be in the proper format to be able to be decoded.

Think about it.

Re:Not so fast.

[Simon Garlick]

What concerns me is that in the last two years I've heard no news about a replacement for SHA-1.

WTF? Have you been living in a cave or something?

Crypto mailing lists, newsgroups, and discussion forums talked about almost nothing else for about six months following the announcement that SHA-1 had been broken.

Even the US government, which moves at the speed of a glacier, proposed replacements for SHA-1 in FIPS back in March last year.

http://csrc.nist.gov/publications/drafts.html [nist.gov]

Re:Old

[jd]

You're better off using algorithms that share nothing in common. SHA512 and Whirlpool would be good choices, from that standpoint. Besides, with MD5 effectively broken a long time ago (as hashes go), a collision only requires an attacker to find one flaw, not two overlapping flaws, as would be required with two unbroken hashes.

Re:Multiple hashes

[David Jao]

Call me a total thicky, but can't we strengthen any application that uses a hash by using several different hashes?

This exact proposal shows up, like clockwork, literally dozens and dozens of times for each slashdot story about hash functions. Since the number of people who know why this proposal fails is miniscule compared to the number of people who think of the idea, it is literally impossible to respond to all the people who keep suggesting this idea. I mean, even if all of us spent literally every minute of every day responding to people who suggest this idea, we would still not have time to reply to every single post.

Here is an old post [slashdot.org] on slashdot explaining exactly why this idea doesn't work. The post has some details wrong ... for example, the correct security strength of the combined md5+sha1 hash is in reality 2^80 + 160*2^64, which is much weaker than even the already weakened security level cited in the post. However, the general idea is correct, and if you google for the title of the paper cited in that post, you can find much more information.

I hope that this reply helps to educate at least one poster, but judging by the regularity with which this idea keeps reoccurring, it's a little bit like rearranging chairs on the Titanic.

Re:Snuffle

[Fastolfe]

You misunderstood the parent post. SHA-1 is a hash function. If you "encrypt" something using SHA-1, in theory, you can't "decrypt" it, because hash functions are irreversible. He's saying that if SHA-1 is "cracked" in the sense that you can easily figure out the original data, then you should be pleased, since you could not have "decrypted" the data otherwise.

While you can say that SHA-1 can be used as the basis for a cipher (such as Snuffle), that doesn't change the fact that SHA-1, by itself, is a hash function, not a cipher. SHA-1, by itself, is not an encryption algorithm. But Snuffle may very well be.

Joux's multicollisions attack

[Schraegstrichpunkt]

Actually, I've actually run collisions in MD5 through SHA-1 and multiple different signatures including Ripe and several. Multiple collisions in MD5 don't generate a corresponding signature in SHA and it would take a lot of work to find one that does.

Actually, you don't know what you're talking about. Go read "Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions" by Antoine Joux. Unfortunately, it's not generally available online, but Hal Finney wrote a nice explanation of the problem here [mail-archive.com].

Re:How long until...

[CalSolt]

I bet the NSA has spent immense resources figuring out how to break its own encryption schemes, if it didn't know from the start. You don't become the biggest employer of mathematicians in the world without figuring out a thing or two about encryption.

Without the ability to break things like SHA-1 and RSA encryption, NSA's tremendous rate of information gathering is pointless, because most of the useful stuff is encrypted.

The continued existence and even growth of the NSA is proof that they have ways to break open all that encrypted information they're gathering.

Re:Not so fast.

[kasperd]

I wonder why a comment with two thirds of misinformation gets rated Informative.

There are actually several SHA-1 replacements out there, including SHA-224, SHA-256, SHA-384, and SHA-512.

True.

None cracked yet.

Also true AFAIK. I have not heard of anyone breaking those. But I must admit, I don't know if the weaknesses found ind SHA-1 applies to other variants of SHA as well.

And for just creating a signature-bound digest of a text that is then acted upon by a more secure scheme, like 2048 bit RSA, SHA-1 is still fine. An attacker in that case would generally need the private RSA key to just get to the point he could start cracking the SHA1 digest :).

You are completely mistaken about this part. A chain is not stronger than the weakest link. If you do signatures using SHA-1 and RSA, only one of the two has to be broken to forge a signature. When you sign a message, you put a signature on the output of the hash. If anybody can find another message with the same hash, they can simply put together your signature with the other message, and it will be a valid signature on a message you had never seen.

What could save you is the fact that there are different degrees of brokenness for a hash function. There are three kinds of common attacks to attempt on a hash function. The easiest one is to just generate a collision where you get to choose both messages. Next comes the problem of generating a collision where you are given one of the messages. Finally the hardest case is to be given a hash value and having to generate a message with that hash without having already an example of how to reach that hash value.

For MD5 an actual collision has been found, but still now algorithm to find a collision with an arbitrary message. For SHA1 there is AFAIK only demonstrated weaknesses. I have yet to see an actual SHA1 collision.

For signatures it might not be considered enough to just find a collision, after all you have to match the hash of a message, which was already signed. But even though you might feel secure, there are some things to worry about. First of all, once a technique to find collisions have been found, it only takes a little extra work to generate meaningful collisions. This is obvious to people with sufficient knowledge of the field, but a wouldn't believe this until it was actually demonstrated. With MD5 it has been demonstrated how to take two arbitrary plaintext files and from those generating two postscript files containing the two different texts but the same hash. Postscript was obviously chosen because the format contains a Turing complete language and thus was an easy target. But even simpler formats might be targeted with some additional work.

Consider the following scenario you send a signed email to somebody. You receive a reply saying something like "thank you for your email, but we need the signature on a postscript version, could you please sign the attached file?", and you find attached a postscript file containing the exact text you originally wrote. Would you sign that postscript file?

Re:Not so fast.

[rpresser]

Cruft can be added to the postscript file invisibly, with the result that the file you've signed (which prints out as an exact representation of the email you sent) has the EXACT SAME HASH as another file which says something totally different. And your digital signature verfies both files.

Saying it once more for clarity:

1. You send a digitally signed email A which states, for example, that you do not approve of a particular business proposal.
2. They email you an unsigned postscript file A', which you print out for verification, and it looks just like your email. So you digitally sign it and email it to them.
3. They detach the digital signature from A' and attach it to another postscript file B', which states that you do approve of the proposal. Anyone attempting to verify the signature on B' will think you signed it.
4. You lose your job.

Now get this: in actual fact, they don't even NEED a broken digital signature algorithm to trap yu this way. It is possible -- not even difficult -- to construct a postscript file so that it prints out one way on a specific printer and a different way on every other printer. Unless you view the
postscript code, you'll never know. Remember, postscript is a fully capable programming language, not just a page definition markup scheme.

Not a surprise - here are old references

[Aging_Newbie]

PC World commented on the issue [pcworld.com] in 2005
Also Bruce Schneier [schneier.com] wrote about it back then.

I guess it takes a while for the US government and Microsoft, et al to take action on the news.