?

Log in

No account? Create an account

Previous Entry | Next Entry

SHA-1 Broken

Interesting: SHA-1 encryption has been broken. SHA-1 is a key component to many cryptographic protocols (PGP, SSH, cryptography used for online shopping, e.g.). At this point, it's not really something to be worried about because it takes very large resources to break it, but we all know that computers are constantly improving, so what looks like large resources now will be considered small resources in the future. Expect work to be done to improve the underlying algorithms.

Thanks to Beginners' Guide to Cryptography (begin_crypto) for pointing it out and providing links to additional information about the matter.

Comments

cramer
Feb. 21st, 2005 02:12 am (UTC)
(It was on slashdot some time ago and Schneider's blog before that.)

While SSH-2 uses SHA-1, it's only for initial key passing and verification -- Message Authentication Code (MAC). The actual traffic is still 3des, aes, etc. Being able to meaningfully compromise a packet is an even bigger problem as one would need a copy of every packet since the connection was established (rekeying can occur at any time.) So, unless someone is *really* determined to steal your account -- for an estimated 38M$ and 56hrs in cracking hardware and time -- we're all safe.

I'll have to check, but I don't think SSL uses SHA-1.

IPSec (ISAKMP) can use SHA-1, but the key lifetime will usually be far less than the time needed to crack it. But that's not saying someone couldn't record your traffic and then play it back later once the keys were in hand. For example, my setup was configured for an 8hr lifetime. BTW, it's usually easier to compromise the random number generator used to create the keys in the first place (few people use quality random number generators.)
drmellow
Feb. 21st, 2005 03:22 pm (UTC)
Thanks for the ellaboration. I tend to not catch things on /. unless someone points it out to me.... Cryptography is pretty interesting to me, but I just don't have time to really devote myself to learning all the ends and outs.
bodnej
Feb. 22nd, 2005 12:12 am (UTC)
If you are interested, you might want to pick up "The Code Book" by Simon Singh. It's the history of cryptography, and enough of the math to help you understand the concepts. Well written and very interesting...

http://www.amazon.com/exec/obidos/ASIN/0385495323/104-9621413-7289534

Latest Month

June 2013
S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
30      

Page Summary

Powered by LiveJournal.com
Designed by Tiffany Chow