SHA-1 HAS BEEN BROKEN !!!

Discussion in 'privacy technology' started by LockBox, Feb 17, 2005.

Thread Status:
Not open for further replies.
  1. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    The SHA-1 (secure hash algorithm) authentication scheme that underpins digital signatures used in SSL browser security and PGP encryption is reported to have been “broken”.
    http://www.techworld.com/security/news/index.cfm?NewsID=3156
    Bruce Schneier's take on this:
    http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

    If offered a choice, now would be the time to switch to RIPEMD-160. This won't immediately be a security threat as it would take thousands of computers doing super-computing for this broken hash to cause a problem. However, SHA-1 is history. Finished. Done. No use hashing keys now with SHA-1 only to be insecure at a future date.

    This is HUGE news in crypto.
     
  2. From what I read the new attack on SHA-1 is a preimage attack and not a collison attack, so it's main implications is purely in digital signatures for new contracts. Existing certificates should be fine. So SSL shouldnt be affected.

    Besides in the cryptoworld, broken means there is a way to do it faster than brute force, the Shandong result is faster than brute force , but still very very slow unless you are the NSA :)

    The sharks are smelling blood though....

    Heh moving from 866 bits to 128 bits is magnitudes more secure.
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Not exactly - SSL encryption has not been broken. However such services may use certificates to verify the servers they connect to and if these use SHA-1 then it could then be possible (but not easy) for an attacker to "spoof" a trusted server and intercept traffic (alert users should be able to see this occur since the spoof server would likely have a different IP address).
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    No, this is nothing to do with the IDN spoofing exploit. If someone was able to "fake" an SHA-certificate using a collision, it would affect all browsers equally.
     
Loading...
Thread Status:
Not open for further replies.