[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1992415133.20070321184519@SECURITY.NNOV.RU>
Date: Wed, 21 Mar 2007 18:45:19 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "Michael Silk" <michaelslists@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
Secure Coding <SC-L@...urecoding.org>
Subject: Re: Chinese Professor Cracks Fifth Data Security
Algorithm (SHA-1)
Dear Michael Silk,
First, by reading 'crack' I thought lady can recover full message by
it's signature. After careful reading she can bruteforce collisions 2000
times faster.
SHA-1 is 160 bit hash. Bruteforced 2000 times faster, it retains the
strength of 149-bit hash for bruteforce collision attack (150 bit for
birthday attack) by given text (MD5 is 128 bit). Great achievement. This
can only be treated seriously by US court, like it was with MD5 :)
--Wednesday, March 21, 2007, 12:37:27 PM, you wrote to SC-L@...urecoding.org:
MS> Awesome.
MS> -------------------
MS> <http://en.epochtimes.com/tools/printer.asp?id=50336>
MS> The Epoch Times
MS> Home > Science & Technology
MS> Chinese Professor Cracks Fifth Data Security Algorithm
MS> SHA-1 added to list of "accomplishments"
MS> Central News Agency
MS> Jan 11, 2007
MS> Associate professor Wang Xiaoyun of Beijing's Tsinghua University and
MS> Shandong University of Technology has cracked SHA-1, a widely used data
MS> security algorithm. (Daniel Berehulak/Getty Images)
MS> TAIPEI-Within four years, the U.S. government will cease to use SHA-1
MS> (Secure Hash Algorithm) for digital signatures, and convert to a new and
MS> more advanced "hash" algorithm, according to the article "Security
MS> Cracked!" from New Scientist . The reason for this change is that
MS> associate
MS> professor Wang Xiaoyun of Beijing's Tsinghua University and Shandong
MS> University of Technology, and her associates, have already cracked SHA-1.
MS> Wang also cracked MD5 (Message Digest 5), the hash algorithm most commonly
MS> used before SHA-1 became popular. Previous attacks on MD5 required over a
MS> million years of supercomputer time, but Wang and her research team
MS> obtained results using ordinary personal computers.
MS> In early 2005, Wang and her research team announced that they had
MS> succeeded
MS> in cracking SHA-1. In addition to the U.S. government, well-known
MS> companies
MS> like Microsoft, Sun, Atmel, and others have also announced that they will
MS> no longer be using SHA-1.
MS> Two years ago, Wang announced at an international data security conference
MS> that her team had successfully cracked four well-known hash
MS> algorithms-MD5,
MS> HAVAL-128, MD4, and RIPEMD-within ten years.
MS> A few months later, she cracked the even more robust SHA-1.
MS> Focus and Dedication
MS> According to the article, Wang's research focusses on hash algorithms.
MS> A hash algorithm is a mathematical procedure for deriving a 'fingerprint'
MS> of a block of data. The hash algorithms used in cryptography are
MS> "one-way":
MS> it is easy to derive hash values from inputs, but very difficult to work
MS> backwards, finding an input message that yields a given hash value.
MS> Cryptographic hash algorithms are also resistant to "collisions": that is,
MS> it is computationally infeasible to find any two messages that yield the
MS> same hash value.
MS> Hash algorithms' usefulness in data security relies on these properties,
MS> and much research focusses in this area.
MS> Recent years have seen a stream of ever-more-refined attacks on MD5 and
MS> SHA-1-including, notably, Wang's team's results on SHA-1, which permit
MS> finding collisions in SHA-1 about 2,000 times more quickly than
MS> brute-force
MS> guessing. Wang's technique makes attacking SHA-1 efficient enough to be
MS> feasible.
MS> MD5 and SHA-1 are the two most extensively used hash algorithms in the
MS> world. These two algorithms underpin many digital signature and other
MS> security schemes in use throughout the international community. They are
MS> widely used in banking, securities, and e-commerce. SHA-1 has been
MS> recognized as the cornerstone for modern Internet security.
MS> According to the article, in the early stages of Wang's research, there
MS> were other researchers who tried to crack it. However, none of them
MS> succeeded. This is why in 15 years hash research had become the domain of
MS> hopeless research in many scientists' minds.
MS> Wang's method of cracking algorithms differs from others'. Although such
MS> analysis usually cannot be done without the use of computers, according to
MS> Wang, the computer only assisted in cracking the algorithm. Most of the
MS> time, she calculated manually, and manually designed the methods.
MS> "Hackers crack passwords with bad intentions," Wang said. "I hope efforts
MS> to protect against password theft will benefit [from this]. Password
MS> analysts work to evaluate the security of data encryption and to search
MS> for
MS> even more secure
MS> algorithms."
MS> "On the day that I cracked SHA-1," she added, "I went out to eat. I was
MS> very excited. I knew I was the only person who knew this world-class
MS> secret."
MS> Within ten years, Wang cracked the five biggest names in cryptographic
MS> hash
MS> algorithms. Many people would think the life of this scientist must be
MS> monotonous, but "That ten years was a very relaxed time for me," she says.
MS> During her work, she bore a daughter and cultivated a balcony full of
MS> flowers. The only mathematics-related habit in her life is that she
MS> remembers the license plates of taxi cabs.
MS> With additional reporting by The Epoch Times.
--
~/ZARAZA http://securityvulns.com/
Èòàê, ÿ áóäó êðàòîê. (Òâåí)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists