Wednesday, February 16. 2005
Hashing Hashed
Bruce Scheiner repoprts that a reputable team in China appears to have found significant collision problems with the SHA-1 algorithm. Of course, this is just as I revised my old article on PHP Cryptography to include a footnote on the MD5 section that SHA-1 is now the preferred hashing algorithm for security purposes. Such is life.
The truth is that while collisions may be bad news for verifying the absolute pristine uniqueness of data via a signature, many of the ways that SHA-1 and even MD5 are used in the PHP world are unlikely to be seriously affected by these vulnerabilities. So SHA-1 is not bullet proof. Does that really mean that someone shy of a postgraduate student in mathematics is going to be able to devise a different set of data that produces the same hash—let alone a different set of data that actually does something malicious in the context of the running program? Give me some statistics on that likelihood, and my sense is that the server housing the code is much more likely to be struck by lightning instead.
And then, what about using SHA-1 and MD5 signatures in combination, like many sites do to verify the veracity of downloads? How likely is it that someone will sneak in a malicious binary whose hashes collide with both signatures? How much more likely is it that the data that satisfies both hashes (if it exists) is simply garbage that won’t execute?
I could be wrong or crazy here, but I think it is very important to put security alerts in context. Saying SHA-1 is “broken” doesn’t help programmers decide what steps, if any, they need to take with existing applications that use SHA-1. I’m sure it is a valid statement in mathematics and cryptography—but what should we coders do with the information? Too soon to tell, I’m afraid—the paper is not out yet.
< Previous Entry | Next Entry >
Comments
Display comments as
(Linear | Threaded)
The attack appears to be a collision attack, and from an educated guess I’d
say that the colliding hash will be pure garbage out of the control of the
attacker. However, one might argue that this attack (should it be verified)
opens the door for other attack vectors with a different threat level - time
will tell.
It might be a little early for that statement but I’d say that if you’re
only hashing passwords with SHA-1, you’re safe. Even more so with HMAC.
Virtually no one will bother and try to compute 269 hashes to break into a
website. Chances are good that there are easier methods to gain access.
I consider the usage of PHP in the field of digital signatures and related
topics ‘rare’, so the threat of this attack probably is very low for the
average PHP guy.
The (unconfirmed) fact that SHA-1 should nonetheless be mentioned in a
mailinglist with ‘sec’ in the name
. My personal opinion.
say that the colliding hash will be pure garbage out of the control of the
attacker. However, one might argue that this attack (should it be verified)
opens the door for other attack vectors with a different threat level - time
will tell.
It might be a little early for that statement but I’d say that if you’re
only hashing passwords with SHA-1, you’re safe. Even more so with HMAC.
Virtually no one will bother and try to compute 269 hashes to break into a
website. Chances are good that there are easier methods to gain access.
I consider the usage of PHP in the field of digital signatures and related
topics ‘rare’, so the threat of this attack probably is very low for the
average PHP guy.
The (unconfirmed) fact that SHA-1 should nonetheless be mentioned in a
mailinglist with ‘sec’ in the name
. My personal opinion.Thanks to Dominique for posting this on the phpsec mailing list:
Apparently the known publishing company Heise has held an interview with
Bruce Schneier, who announced the fact that SHA-1 is broken. A german
article with some current informations is available at
http://www.heise.de/security/artikel/56555.
Quick facts from it:
- the attack appears to be valid, but is being checked further
- the threat of the attack for real world applications is considered to be
low.
- digital signatures that use SHA-1 can be considered safe in the immediate
future
- hashing of passwords (…) with SHA-1 can be considered safe as well. for
now.
- HMAC based on SHA-1 is completely unaffected
General agreement exists that it is time to start and develop a new hashing
functions, based on todays knowledge. Hash algorithms that exist today are
all based on the same (older) principles (MD4, MD5, SHA-0, SHA-1, …).
Variants of SHA (SHA-256, …) are most likely to become drop-in
replacements for SHA-1, mainly because they’re specified by NIST, although
those variants have not benefitted from as much attention from the
cryptoanalyst as SHA-1 has had.
No real alternative to SHA-1 and maybe MD5 exists as of now. Both of them
are broken. RIPEMD-160 has been broken in 2004. The algorithm ‘Whirlpool’ is
only two years old and basically untested by cryptoanalysts.
Blowfish and Twofish weren’t mentioned however. As I don’t know too much
about them I’d like to hear about them - maybe someone in this list can
enlighten the rest of us.
And with that - a good weekend to you all .
Dominique
—
[phpsec] Mailing List
Brought to you by php|architect - http://www.phparch.com
Apparently the known publishing company Heise has held an interview with
Bruce Schneier, who announced the fact that SHA-1 is broken. A german
article with some current informations is available at
http://www.heise.de/security/artikel/56555.
Quick facts from it:
- the attack appears to be valid, but is being checked further
- the threat of the attack for real world applications is considered to be
low.
- digital signatures that use SHA-1 can be considered safe in the immediate
future
- hashing of passwords (…) with SHA-1 can be considered safe as well. for
now.
- HMAC based on SHA-1 is completely unaffected
General agreement exists that it is time to start and develop a new hashing
functions, based on todays knowledge. Hash algorithms that exist today are
all based on the same (older) principles (MD4, MD5, SHA-0, SHA-1, …).
Variants of SHA (SHA-256, …) are most likely to become drop-in
replacements for SHA-1, mainly because they’re specified by NIST, although
those variants have not benefitted from as much attention from the
cryptoanalyst as SHA-1 has had.
No real alternative to SHA-1 and maybe MD5 exists as of now. Both of them
are broken. RIPEMD-160 has been broken in 2004. The algorithm ‘Whirlpool’ is
only two years old and basically untested by cryptoanalysts.
Blowfish and Twofish weren’t mentioned however. As I don’t know too much
about them I’d like to hear about them - maybe someone in this list can
enlighten the rest of us.
And with that - a good weekend to you all
.Dominique
—
[phpsec] Mailing List
Brought to you by php|architect - http://www.phparch.com
Reader Comments
Thea Swanson on "Road Sign on Interstate 5" Now Available Online
Thank you for writing this poem. It’s necessary. Peace+ Thea
(Read more...)
Katherine on What Marriage Means to Me
Beautiful. Thank you.
(Read more...)
michelle on "Road Sign on Interstate 5" Now Available Online
such a stunner. hey, you are good! xoxo, mich
(Read more...)