LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Crypto researchers abuzz over flaws (News.com)

Crypto researchers abuzz over flaws (News.com)

Posted Aug 18, 2004 17:38 UTC (Wed) by hamjudo (subscriber, #363)
Parent article: Crypto researchers abuzz over flaws (News.com)

In one article we find out both that MD5 is mostly broken, and that the future doesn't look so good for SHA-1.

Still, Hughes said that programmers should start moving away from MD5. "Right now the algorithm has been shown to be weak," he said. "Before useful (attacks) can be done, it's time to migrate away from it."

Off the top of my head, I can think of some denial of service attacks based on the ability to create different files with the same MD5 checksum. I'm confident that others who are smarter or more devious than I, will think of some "usefull (attacks)" in short order.

Where do we go from here, if we should abandon MD5, but not adopt SHA-1?

(Log in to post comments)

Where to, now?

Posted Aug 18, 2004 17:49 UTC (Wed) by ncm (subscriber, #165) [Link]

SHA-2, of course!

The SHA successors, for now

Posted Aug 18, 2004 17:55 UTC (Wed) by jvotaw (subscriber, #3678) [Link]

I'm sure Bruce Schneier will comment on this in the next Crypto-Gram, but my guess is: SHA-256, SHA-384 and SHA-512; they were designed after SHA-1 and hopefully are not susceptible.

-Joel

The SHA successors, for now

Posted Aug 18, 2004 18:25 UTC (Wed) by mkettler (guest, #3933) [Link]

Not necessarily. The design of SHA-256, etc, is the same as SHA-1. Thus, an algorithmic weakness in one is likely to be present in the other. The Ch(x,y,z) and Maj (x,y,z) that are the heart of the hash are the same for both.

The longer hash output makes SHA-256, etc, stronger against birthday attacks, but for algorithmic attacks you're not guaranteed any extra security over SHA1. You might increase the complexity, you might not. It depends on what part of the math gets attacked.

You can check for yourself reading FIPS-180-2:

http://csrc.nist.gov/publications/fips/fips180-2/fips180-...

The SHA successors, for now

Posted Aug 18, 2004 19:30 UTC (Wed) by jvotaw (subscriber, #3678) [Link]

I can believe that. This stuff is way over my head -- I should've emphasized the "hopefully" in my original message.

I was thinking of cases where people demonstrate a weakness in, say, a 9-round variant of an encryption algorithm, but feel safe with a 12- or 16-round variant, and was thinking the same thing *might* apply here.

But again, I'm way out of my depth.

-Joel

Collisions are not as benign as they seem

Posted Aug 18, 2004 19:48 UTC (Wed) by proski (subscriber, #104) [Link]

Wikipedia entry for Birthday attack describes how to exploit a hash collision for fraudulent purposes.

Collisions are not as benign as they seem

Posted Aug 19, 2004 9:18 UTC (Thu) by copsewood (subscriber, #199) [Link]

Interesting. One defence against the kind of birthday attack described in the Wikipedia entry would be to edit a contract before signing it, e.g. by altering whitespace in a very unpredictable manner. The meaning of the contract would be the same, but the cryptographic hash would be totally different.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds