PGP Moving To Stronger SHA Algorithms 247
PGP Corp. is moving to a stronger SHA Algorithm (SHA-256 and SHA-512) as consequence of the research conducted by the team at Shandong University in China who broke the SHA-1 algorithm. (See this earlier story for more information on the SHA-1 vulnerability.)
Not a solution (Score:4, Insightful)
Re:Not a solution (Score:5, Insightful)
They're just trying to avoid the problem, not solve it. Moving to SHA-512 is not a solution.
Could also be a stop gap solution. At least it will be harder to break in the mean time until a real solution is devised.
Re:Not a solution (Score:2, Insightful)
Re:Not a solution (Score:5, Insightful)
Moving to Tiger? Or Whirlpool? Or RIPEMD-160?
The amount of effort it took to discover the weakness in SHA-1 was incredible, and SHA-256 and SHA-512 are even more complex. Tiger and Whirlpool are relatively untested, and RIPEMD-160 was put out as an update after the original RIPEMD was broken (Much like SHA-0).
SHA-256 and SHA-512 are the most likely successors to the throne, because they're based on an algo that is STILL, despite being "broken", known to have very strong collision resistance.
Re:Not a solution (Score:5, Informative)
Re:Not a solution (Score:4, Interesting)
Re:Not a solution (Score:4, Informative)
In short, having two different hashes doesn't add more security (at least not significantly more) than just doubling the hash length.
Re:Not a solution (Score:2, Interesting)
Sure it does, because you're talking about two different algorithms. If a fatal flaw is found in one algorithm, you're still left with *something*, vs. being left with no pants.
Re:Not a solution (Score:3, Insightful)
Not really. SHA1+MD5 can be expressed as a singular algorithm that produces the combined signature.... thing is, you now end up with one algorithm broken in two different ways that may actually allow for an easier breakage down the road (it's a bit harder to predict, given that you're now looking at a relatively ad-hock concatonation).
It's not that it's a known breakage -- rather that you're now looking at a very ad-hock union that
Re:Not a solution (Score:2, Informative)
It's like using two passwords instead of one. Of course it's better
Re:Not a solution (Score:5, Informative)
Re:Not a solution (Score:3, Informative)
You are comparing apples to oranges.
We're talking about a mathematical breakthrough, not the release of the newest processor.
This problem isn't arising because we have faster processors, it's arising because someone has discovered a fundamental flaw in the algori
Re:Not a solution (Score:3, Informative)
The user should be able to choose from several algorithms dependin
Re:Not a solution (Score:2)
Actually, in this case the algorithm IS flawed.
The issue here is not that we have more computing power, it's that someone has found a mathematical method to "beat" SHA1.
The entire point of a
Re:Not a solution (Score:5, Informative)
There's no fool-proof "solution" to this problem. The key (no pun intended) is to keep a high enough ratio between hash length (or key length) and the kind of processing power that potential crackers (including the NSA) can be thought to have access to.
Thus, as the processing power of the world increases, so do we increase the hash/key lengths. There's nothing strange about that, if you ask me -- especially considering how the required processing power increases exponentially with the hash/key length in use.
Re:Not a solution (Score:5, Insightful)
Re:Not a solution (Score:2)
RSA was never broken in the same way that SHA-1 is now
That's bullshit, 1024-bit keys were supposed to be safe for the foreseeable future ("military strength"), but increasingly better factorization algorithms have been devised over time.
Re:Not a solution (Score:2, Funny)
Re:Not a solution (Score:2)
Or..... (Score:2)
Hmmm.... methinks that perhaps moving to SHA-512 in the meantime might be a safer alternative.
Re:Not a solution (Score:2)
Why only small improvements in security? (Score:5, Funny)
Re:Why only small improvements in security? (Score:2)
Re:Why only small improvements in security? (Score:3, Funny)
Come on... (Score:4, Informative)
They did not break it. They just found a way to reduce the number of trials needed to find a collision.
Re:Come on... (Score:5, Insightful)
That is what's usually referred to as "breaking" a hash algorithm.
Re:Come on... (Score:4, Informative)
Re:Come on... (Score:5, Informative)
No, they didn't. No hash has been produced. Only a claim that they can do it in 2^69 operations. The collisions they gave were for SHA-0 and for a reduced-round version (58 rounds instead of 80) of SHA-1. Unless someone can extend the break (which is likely) then it's still quite secure.
Re:Come on... (Score:2, Interesting)
The way you describe it makes it sound like they stumbled upon a collision.
Re:Come on... (Score:2)
Re:Come on... (Score:2, Insightful)
And what exactly would you consider broken? Since when was "it don't work as we thought" not good enough?
Let me give you an example. You sign your Last Will and Testament digitally. You can do that; the courts will uphold it. Now, these fine researchers can concoct a new Will that says something different, but still appears to be signed by you.
Of course you already knew they could do that, but you thou
Re:Come on... (Score:3, Interesting)
Re:Come on... (Score:4, Insightful)
Oh, sure, lots. But if the SHA-1 is being used for, say, passwords - where all that's stored and checked is the hash - then ANY collision will do. So if you can find a collision in a day, you can break into any system using SHA-1 for password authentication in a day.
That's broken.
Re:Come on... (Score:4, Insightful)
Re:Come on... (Score:4, Informative)
Re:Come on... (Score:3, Insightful)
Re:Come on... (Score:5, Informative)
The attack on MD5 worked independently from the initial state of the cipher, i.e., any arbitrary message could be prepended to the calculated collision, and the hashes would still collide. It doesn't matter what the text before the discovered collision block is. It could be anything (plus padding to make it to a multiple of the block length.)
This makes the break a much more serious problem than simply finding two completely random messages that happen to have the same hash. It's only a guess at the moment, but I assume the SHA-1 attack will work the same way. The brief findings mentioned using the same sort of attack, hopefully the results will be similar.
(Side note 1: The term used by every cryptographer i've ever encountered is "break". Feel free to use what you want, but don't claim that "break" is for some reason incorrect. If you want to argue about it, see my prior post on "Stealing" vs. "Copyright Infringement.")
(Side note 2: Even if one was going to brute force SHA-1, you would still get the same failure mode as described. When trying all the possible hashes, you would simply use the output of SHA1 of the nefarious file as the IV in the brute-force attack. Iterated hashes, in my very uneducated opinion, are on their way out. What they will be replaced with, however, I have no idea. )
Re:Come on... (Score:2)
Re:Come on... (Score:3, Informative)
Re:Come on... (Score:2, Informative)
Jeremy
Re:Come on... (Score:3, Insightful)
Re:Come on... (Score:2)
Re:Come on... (Score:4, Interesting)
Re:Come on... (Score:3, Interesting)
Fighting the FUD....
Re:Come on... (Score:5, Interesting)
Bruce Schneier estimates that a SHA-1 collision finding machine, built along the same lines as the old DES cracker would cost $25M-$38M and could do the needed 2^69 calculations in 56 hours [schneier.com]. distributed.net has already completed a 2^64 operation challenge a few years ago, which along with Moores law puts 2^69 ops into the realm of the possible.
Fighting the FUD, indeed.
Re:Come on... (Score:2)
What's interesting about this is that a project like this [zdnet.co.uk] might actually have a chance of succeeding now.
See this link, [xbox-linux.org] section 1.2 for a little more detail on the subject.
While this doesn't help them with discovering Microsoft's private key, it could allow them to generate a modified version of a tool like GRUB who's bits hash to the same value a
Re: (Score:2, Funny)
Re:Come on... (Score:2)
Yes its still mostly secure, but do you really want to trust that "mostly"? Better to go to something better before the shit hits the fan.
the problem is still there (Score:3, Insightful)
right? correct me if im wrong.
Re:the problem is still there (Score:2)
There's always "problems", the game is making them as insignificant as possible.
Re:the problem is still there (Score:2)
[just about] => if one hash was unique for a very specific data set with data sizes larger than the hash size, one could argue that this would also be a problem in the hashing algorithm. If you were able to backconvert to password + salt from hash, that would be minusminusgood.
Re:the problem is still there (Score:2, Funny)
According to my newspeak dictionary, that'd be double-plus-ungood.
Re:the problem is still there (Score:3, Funny)
Re:the problem is still there (Score:4, Insightful)
What we should be asking ourselves is, is there a way to construct a hashing algorithm for which the OPTIMAL method for finding collisions is a brute force search? So far it hasn't been done, and it hasn't been definitely proven to be possible or impossible, either.
I see a lot of people on these forums complaining that we should "just" make a hash algorithm that is unbreakable. It's a logical impossibility. Can you fit an infinite number of things into a finite number of holes and guarantee that each hole has at most one object in it? I hope people are capable of grasping that, at least.
Re:the problem is still there (Score:3, Insightful)
It is a logical impossibility to make one that dodges the pigeonhole principle, i.e., one that is "collisionless."
This is different from whether one can be "broken," i.e., a message can be found that collides in less than brute force time (2^80 for SHA1).
Why not move sooner? (Score:5, Insightful)
It seems to me that if you start working on implementing the stronger ones BEFORE your existing one is broken?
An ounce of prevention...
Re:Why not move sooner? (Score:3, Informative)
It seems to me that if you start working on implementing the stronger ones BEFORE your existing one is broken?
Because of the chance that someone might find a weakness in the supposedly stronger one before a weakness is found in the supposedly weaker one.
Since you don't know which algorithm is going to be broken first, you pick one based on other advantages, like wider availability and more efficient calc
Re:Why not move sooner? (Score:2)
Jon Callas
Re:Why not move sooner? (Score:2)
Hashes major weakness is the fact that its block related. As soon as you find one block you can swap out in a file, then the rest doesn't matter at all. A hash that can keep state is much harder to mess with but that gets rid of the ability to hash as stream process.
Re:Why not move sooner? (Score:2)
i'm no crypto expert... (Score:2, Insightful)
if its broken once - all you get is another hash and with no way of telling if you`ve cracked it or not, its useless
Re:i'm no crypto expert... (Score:4, Informative)
ie. say it takes n time to crack a hash, then cracking a hash of a hash would take 2n...
O(2n) is still O(n)
Of course that's assuming they aren't doing it by "eye" and they have some sort of solid algorithm to do it.
- shazow
Re:i'm no crypto expert... (Score:2)
Re:i'm no crypto expert... (Score:2)
Re:i'm no crypto expert... (Score:5, Insightful)
Because breaking the hash means finding two documents resulting in the same hash. If the first hash ist the same for both documents all hashes of hashes will be the same too.
What you could do is using different hash-algos, but it increases the amount of code to be managed and reviewed thoroughly (security by obscurity rarely works). And it increases the size of the digest - SHA-256 does that too but it keeps the algorithm simple.
Bah. (Score:3, Funny)
Re:Bah. (Score:4, Funny)
Re:Bah. (Score:5, Funny)
Are ROT-13 jokes still +1 funny?
I thought we had moved past ROT-13 and ROT-26 and you had to posit ROT-39 or up in order to get a rise out of people.
-a
Re:Bah. (Score:4, Funny)
Re:Bah. (Score:3, Funny)
Found 2ROT-13 insecure, use 3ROT-13 instead (Score:2, Funny)
Re:Bah. (Score:2)
Have to buy it again? (Score:3, Interesting)
Re:Have to buy it again? (Score:2)
What about GPG? (Score:2)
Re:What about GPG? (Score:5, Informative)
Re:What about GPG? (Score:5, Informative)
Just to confirm, GPG 1.4 DOES support the more-bits versions of SHA. Run GPG with the --version parameter to get something like this for your copy:
Re:What about GPG? (Score:2)
I don't think they've officially decided to change (Score:4, Informative)
There's a discussion about this very subject going on on the IMC's discussion list for OpenPGP [imc.org]. From reading the posts, particularly the ones by PGP's Jon Callas, I don't think that PGP has officially decided to implement this change just yet. (On the list, the thread titled "SHA-1 broken" is the one you will want to follow.)
But then, I could have missed something.
SHA-1 break illustrated.. (Score:5, Interesting)
Atom Smasher atom at smasher.org
Wed Feb 16 21:56:25 CET 2005
Hash: SHA256
this should help put the (alleged until proven otherwise) SHA-1 break into
perspective. thanks to Sascha Kiefer for giving me the idea.
let's say that unbroken SHA-1 represents a 100 meter (328 ft) wall. if a
break allows a collision to be found in merely 2^69 operations (on
average), that would mean the wall has crumbled to 4.9 cm (1.9 in) tall.
that's broken!!
OTOH, let's say that unbroken MD5 represents a 100 meter (328 ft) wall.
comparing unbroken MD5 to broken SHA-1 means the wall would actually grow
from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall. SHA-1, even if
it's broken enough to find a collision in 2^69 operations (on average), is
still stronger than MD5 was ever meant to be.
again, using unbroken MD5 as our reference of a 100 meter (328 ft) wall,
unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was
intended to be incredibly stronger than MD5.
- --
Missing details to complete the perspective (Score:5, Insightful)
Adding to what you've said, if the cumbled SHA-1 wall is 4.9 cm (1.9 in) tall, our current average reach of scaling the wall is still a few nano metres.
It appears as if that 4.9 cm wall is very scalable, but it still isn't easily scalable.
Quoting Bruce Schneier's quote of what Jon Callas, PGP's CTO said: "It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off."
Re:SHA-1 break illustrated.. (Score:2)
Meanwhile, in the real world.... (Score:2, Insightful)
Re:Meanwhile, in the real world.... (Score:2)
so basically "This is a message" produced the same hash as "This is another message "©{"
Phones tapped? (Score:4, Insightful)
I can't think of any intelligence agency that that wouldn't like a few days head start with any more findings these guys come up with.
I'm not really headed anywhere specfic with this comment, other than getting this thought out there. People have been bugged to gain access to much less exciting information than this. [spybusters.com]
Re:Phones tapped? (Score:2)
Secure Hash Algorithm 1 (Score:2)
SHA-1 Hash Algorithm [ietf.org] and Source Code [cr0.net]
They started last September (Score:2)
Jon Callas
So they were actually ahead of things, not reacting to the break.
GnuPG has this already (Score:4, Interesting)
Incidentally, despite what the article implies, PGP has actually had SHA-256 support for a while now. It's not exposed in the GUI, but if you use GnuPG to generate a SHA-256 message, PGP can handle it.
In terms of what the SHA-1 "break" means, it is certainly time to start migrating to something stronger, but it is not time to panic and start revoking keys. Think of this as the MD5 situation in the late 1990s: a flaw was found, people migrated away, and when the serious MD5 crack was found last year, most people had already stopped using it.
The sky isn't falling. It's just a wake up call to start moving to something better.
Clearing up some misconceptions (Score:3, Informative)
Re:I'm all for encyrption (Score:2, Insightful)
I would still rather see people encrypt all their data than to send (even potentially) sensitive data in plain text. Sure, the best option would be educating people on what is really important, and thus worth encrypting, but a lot of people can't seem to grasp the concept of privacy/security. I know people who would submit a credit card number to some shady website over plain HTTP, without even looking on the page for a privacy policy.
Granted, it is borderl
Re:I'm all for encyrption (Score:2)
Perl scripts, on the other hand, are clearly far too illegible to be considered plaintext.
Re:I'm all for encyrption (Score:3, Insightful)
The US's encryption policy has been undermined because it's stupid. Canada and Mexico are only two of the dozens of countries that agree with my assessment.
Even if the USA were the only source of strong crypto (Not the case. Rijndael aka AES comes from Belgium.) or ev
Re:Collisions (Score:3, Insightful)
Two reasons:
Note that there are circumstances where you don't care about this, because the original data is public and you
Re:This reminds me... (Score:2)
Which is the whole point of this research in the first place--making stronger algorithms by attempting to break the current ones. Unless funded by a government or similarly large entity, nobody is going to be breaking your SHA-1 hashes any time in the near future. The private-sector crypto community has developed very rapidly over the la
Re:This reminds me... (Score:2)
Re:This reminds me... (Score:3, Informative)
Re:This reminds me... (Score:3, Informative)
Let's look at the second one first:
1. No matter how brainy you are, it requires a computer (now-a-days) to break any kind of cryptology which is in place.
2. No matter how smart you may be, you won't be able to test your premise without the usage of a computer. Further, it is not so much hard core number crunching (as in testing each
Re:This reminds me... (Score:2)
Re:This reminds me... (Score:3, Informative)