| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Mar 2007 18:45:19 +0300 From: 3APA3A <3APA3A@...URITY.NNOV.RU> To: "Michael Silk" <michaelslists@...il.com> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>, Secure Coding <SC-L@...urecoding.org> Subject: Re: Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1) Dear Michael Silk, First, by reading 'crack' I thought lady can recover full message by it's signature. After careful reading she can bruteforce collisions 2000 times faster. SHA-1 is 160 bit hash. Bruteforced 2000 times faster, it retains the strength of 149-bit hash for bruteforce collision attack (150 bit for birthday attack) by given text (MD5 is 128 bit). Great achievement. This can only be treated seriously by US court, like it was with MD5 :) --Wednesday, March 21, 2007, 12:37:27 PM, you wrote to SC-L@...urecoding.org: MS> Awesome. MS> ------------------- MS> <http://en.epochtimes.com/tools/printer.asp?id=50336> MS> The Epoch Times MS> Home > Science & Technology MS> Chinese Professor Cracks Fifth Data Security Algorithm MS> SHA-1 added to list of "accomplishments" MS> Central News Agency MS> Jan 11, 2007 MS> Associate professor Wang Xiaoyun of Beijing's Tsinghua University and MS> Shandong University of Technology has cracked SHA-1, a widely used data MS> security algorithm. (Daniel Berehulak/Getty Images) MS> TAIPEI-Within four years, the U.S. government will cease to use SHA-1 MS> (Secure Hash Algorithm) for digital signatures, and convert to a new and MS> more advanced "hash" algorithm, according to the article "Security MS> Cracked!" from New Scientist . The reason for this change is that MS> associate MS> professor Wang Xiaoyun of Beijing's Tsinghua University and Shandong MS> University of Technology, and her associates, have already cracked SHA-1. MS> Wang also cracked MD5 (Message Digest 5), the hash algorithm most commonly MS> used before SHA-1 became popular. Previous attacks on MD5 required over a MS> million years of supercomputer time, but Wang and her research team MS> obtained results using ordinary personal computers. MS> In early 2005, Wang and her research team announced that they had MS> succeeded MS> in cracking SHA-1. In addition to the U.S. government, well-known MS> companies MS> like Microsoft, Sun, Atmel, and others have also announced that they will MS> no longer be using SHA-1. MS> Two years ago, Wang announced at an international data security conference MS> that her team had successfully cracked four well-known hash MS> algorithms-MD5, MS> HAVAL-128, MD4, and RIPEMD-within ten years. MS> A few months later, she cracked the even more robust SHA-1. MS> Focus and Dedication MS> According to the article, Wang's research focusses on hash algorithms. MS> A hash algorithm is a mathematical procedure for deriving a 'fingerprint' MS> of a block of data. The hash algorithms used in cryptography are MS> "one-way": MS> it is easy to derive hash values from inputs, but very difficult to work MS> backwards, finding an input message that yields a given hash value. MS> Cryptographic hash algorithms are also resistant to "collisions": that is, MS> it is computationally infeasible to find any two messages that yield the MS> same hash value. MS> Hash algorithms' usefulness in data security relies on these properties, MS> and much research focusses in this area. MS> Recent years have seen a stream of ever-more-refined attacks on MD5 and MS> SHA-1-including, notably, Wang's team's results on SHA-1, which permit MS> finding collisions in SHA-1 about 2,000 times more quickly than MS> brute-force MS> guessing. Wang's technique makes attacking SHA-1 efficient enough to be MS> feasible. MS> MD5 and SHA-1 are the two most extensively used hash algorithms in the MS> world. These two algorithms underpin many digital signature and other MS> security schemes in use throughout the international community. They are MS> widely used in banking, securities, and e-commerce. SHA-1 has been MS> recognized as the cornerstone for modern Internet security. MS> According to the article, in the early stages of Wang's research, there MS> were other researchers who tried to crack it. However, none of them MS> succeeded. This is why in 15 years hash research had become the domain of MS> hopeless research in many scientists' minds. MS> Wang's method of cracking algorithms differs from others'. Although such MS> analysis usually cannot be done without the use of computers, according to MS> Wang, the computer only assisted in cracking the algorithm. Most of the MS> time, she calculated manually, and manually designed the methods. MS> "Hackers crack passwords with bad intentions," Wang said. "I hope efforts MS> to protect against password theft will benefit [from this]. Password MS> analysts work to evaluate the security of data encryption and to search MS> for MS> even more secure MS> algorithms." MS> "On the day that I cracked SHA-1," she added, "I went out to eat. I was MS> very excited. I knew I was the only person who knew this world-class MS> secret." MS> Within ten years, Wang cracked the five biggest names in cryptographic MS> hash MS> algorithms. Many people would think the life of this scientist must be MS> monotonous, but "That ten years was a very relaxed time for me," she says. MS> During her work, she bore a daughter and cultivated a balcony full of MS> flowers. The only mathematics-related habit in her life is that she MS> remembers the license plates of taxi cabs. MS> With additional reporting by The Epoch Times. -- ~/ZARAZA http://securityvulns.com/ Èòàê, ÿ áóäó êðàòîê. (Òâåí) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists