[TETENAL]

http://www.schneier.com/blog/

A Chinese researcher team has broken SHA-1. Everything in security (digital signatures) relies on SHA-1, so nothing is secure any more in the future maybe.

[turtle777]

Originally posted by TETENAL:
http://www.schneier.com/blog/

A Chinese researcher team has broken SHA-1. Everything in security (digital signatures) relies on SHA-1, so nothing is secure any more in the future maybe.

Ho Brauner, ganz so schlimm ist es nun auch wieder nicht.

Trotzdem gehen Krypto-Experten wie Schneier und Kaliski davon aus, dass man SHA-1 durchaus noch recht unbesorgt einsetzen kann. Das rührt daher, dass auch 269 noch eine recht große Zahl ist. Auf Spezialhardware kann man eine Hash-Operation in etwa 40 Takten ausführen [1]. Selbst wenn man diese von 33 MHz auf 4 GHz beschleunigen könnte, würde sie immer noch 170.000 Jahre benötigen. Selbst ein Riesen-Cluster aus solchen Maschinen könnte innerhalb eines realistischen Zeitraums weniger Jahre keine Kollision finden. Der überraschende Durchbruch von Wang et al. führt jedoch vor Augen, dass man sich auf einem solchen Polster nicht länger ausruhen kann.

Abstract: even with the fastest clusters and great computing power, it would still take many years to falsify a SHA-1 signed document.

Auch durch Preimage-Angriffe ließen sich im Übrigen Verfahren nicht knacken, die erst digital signieren und dann chiffrieren. Wer nicht an den Klartext herankommt, kann nicht einmal eine MD4-Summe fälschen. Daher bleiben SSH und IPSec sicher.

Abstract: SSH and IPSec are NOT affected and remain secure.

http://www.heise.de/security/artikel/56555

(Sorry, source only in German)

-t

[Oisín]

And for those of us who didn't understand a word of that blog entry (and even less the replies to it)?

[turtle777]

Originally posted by Oisín:
And for those of us who didn't understand a word of that blog entry (and even less the replies to it)?

It will be commented on in English pretty soon.
Stay tuned.

-t

[Oisín]

Originally posted by turtle777:
It will be commented on in English pretty soon.
Stay tuned.

-t

Oh, I didn't even see your reply in before mine... I was actually referring to Tetenal's first post... Then again, maybe so were you

[Person Man]

Originally posted by Oisín:
And for those of us who didn't understand a word of that blog entry (and even less the replies to it)?

Here is the text that turtle posted, run through Sherlock's translator and cleaned up for human readability. Machine translations suck.

Nevertheless Cryptography experts such as Schneier and Kaliski assume one can still use SHA-1 without concern. 2^69 is still a very large number. Given special hardware, one can execute a Hash operation in approximately 40 clock cycles [1]. Even if one could accelerate these from 33 MHz to 4 GHz, they would still need 170,000 years to crack the code. Even a giant cluster of such machines could not find a match within a more realistic time period of fewer years. The surprising breakthrough of Wang, et al.; however, underscores the fact that we can no longer rely on the strength of the encryption method alone for much longer.

Oh, and turtle777 said "Things aren't quite that bad yet." I can speak German at a conversational level. (My Greek cousins live in Stuttgart, and the reason for that is that my father and uncle were gastarbeiter [guest-workers] in the 1960s).

[TETENAL]

Originally posted by turtle777:
Ho Brauner, ganz so schlimm ist es nun auch wieder nicht.

Are you calling me a nazi or what? Who do do think you are?

Abstract: SSH and IPSec are NOT affected and remain secure.

According to heise SSH is affected:

http://www.heise.de/security/artikel/56555

"SHA-1 is used by OpenPGP and S/MIME, IPSec is using it as well is SSH and even the upcoming TCPA is based on the Secure Hash Algorithm. With RSA and AES SHA-1 is the foundation of our cryptographic security infrastructure."

[macroy]

I'm not even going to pretend I'm a cryptography expert - however, I believe that attack is only again SHA-1 as a hash.

Here's is a excerp from a Listserv. BTW - Mr. Guida is the former head of Federal PKI.

Guida, Richard [JJCUS] wrote:

This is a reprise of the 3DES issue regarding the term "broken." If you wish to get on the witness stand and testify that SHA-1 is "broken," that is your right. I would look forward to helping opposing counsel cross-examine you. We all understand the need to migrate to SHA-256 or better as soon as practical; there is no need for hyperbole, which may unduly frighten people into not using digital signatures or cryptographic techniques "until all of this gets sorted out." Believe it or not, that is how some people actually think. So let's please be measured in our use of words.

Here is an excerpt from a separate post on the SAAG mail-list by Peter Guttman which I think well captures the situation; note the first sentence in the final paragraph:

<snip>

I think it'd be better to wait a bit to get the full details. Here's a boilerplate summary I've been sending out to people who have mailed me about this (personal opinion disclaimer, etc etc):

- It only affects the use of SHA-1 as a hash function, not as a PRF or HMAC, so the core of SSH, SSL/TLS, etc etc are unaffected.

- I've seen one report that it only affects the compression function and not the full hash function, which sounds plausible. SHA-1 (and indeed all of the MD4-type UFN hashes) use a core compression function and then perform extra operations for the full hash function, so finding collisions in the full hash is somewhat more difficult than just the compression function.

- It takes 2^69 ops on average to find a second input value that produces the same output as the first one (the ambiguous phrasing here is meant to indicate that probably what's meant is that the compression function produces the same output rather than the full SHA-1 hash producing the same output, see above). The second input value can't be chosen by the attacker, so the chances of forging a signature on structured data like a certificate or CMS/PGP message are fairly remote.

So while it's a very interesting result, it's more a hint to consider moving to something else rather than time to hit the panic button. RIPEMD-160 still looks fairly secure, my gut feeling is that its dual-path construction is safer than the SHA-1 derived SHA-256 et al, but I suspect that in the light of the current work on attacking UFN-based designs we'll be seeing a pile of new non-UFN hash functions in the same way that differential cryptanalysis spurred a burst of work on new ciphers.

<snip>


Richard A. Guida
Director, Information Security
Johnson & Johnson

[Oisín]

Originally posted by Person Man:
Oh, and turtle777 said "Things aren't quite that bad yet." I can speak German at a conversational level. (My Greek cousins live in Stuttgart, and the reason for that is that my father and uncle were gastarbeiter [guest-workers] in the 1960s).

No no - it wasn't the German that was causing me trouble. It was the subject. My reply was to Tetenal's initial post, not turtle's reply. I can't speak German for sh*t, but I can understand it quite well, having been naturally exposed to it my whole life. I just have no idea what SHA-1 or all that stuff about 2^69 was about (I did gather it wasn't about two people 69'ing it, but that was about where I got lost).

(Who [or what] is Brauner, btw? Or rather, why does it seem to indicate Nazis? I thought "ho, Brauner" was just sort of like... "hey, dude" or something, or "easy there"?)

[Person Man]

Originally posted by Oisín:
No no - it wasn't the German that was causing me trouble.

I did it more for the people who couldn't understand German.

[turtle777]

Originally posted by TETENAL:
Are you calling me a nazi or what? Who do do think you are?

Ist jetzt nicht dein Ernst, oder ?

Falls doch, "Ho, Brauner" bedeutet soviel wie: Immer schön ruhig
bleiben.

-t

[turtle777]

Originally posted by Oisín:
No no - it wasn't the German that was causing me trouble. It was the subject. My reply was to Tetenal's initial post, not turtle's reply. I can't speak German for sh*t, but I can understand it quite well, having been naturally exposed to it my whole life. I just have no idea what SHA-1 or all that stuff about 2^69 was about (I did gather it wasn't about two people 69'ing it, but that was about where I got lost).

(Who [or what] is Brauner, btw? Or rather, why does it seem to indicate Nazis? I thought "ho, Brauner" was just sort of like... "hey, dude" or something, or "easy there"?)

Funny, you totally got lost with the blog, but at least you know what "Ho Brauner" meant

-t

[turtle777]

Originally posted by TETENAL:
According to heise SSH is affected:

No, you didn't understand the issue correctly.

Originally posted by macroy:
I'm not even going to pretend I'm a cryptography expert - however, I believe that attack is only again SHA-1 as a hash.

<snip>

I think it'd be better to wait a bit to get the full details. Here's a boilerplate summary I've been sending out to people who have mailed me about this (personal opinion disclaimer, etc etc):

- It only affects the use of SHA-1 as a hash function, not as a PRF or HMAC, so the core of SSH, SSL/TLS, etc etc are unaffected.

-t

[TETENAL]

Originally posted by Oisín:
(Who [or what] is Brauner, btw? Or rather, why does it seem to indicate Nazis? I thought "ho, Brauner" was just sort of like... "hey, dude" or something, or "easy there"?)

Off topic, but for the record, brown was the uniform colour of the Nazis (SA). Therefore Nazis were called "the brown ones". I don't understand what purpose it served turtle to call me that.

[turtle777]

Originally posted by TETENAL:
Off topic, but for the record, brown was the uniform colour of the Nazis (SA). Therefore Nazis were called "the brown ones". I don't understand what purpose it served turtle to call me that.

Man, Alter, jetzt oute dich nicht so als Depp.

DAS IST EIN LEGITIMES DEUTSCHES SPRICHWORT welches nix, GARNIX, REIN GARNIX mit Nazis zu tun hat.

-t

[Xeo]

Seems like breaking hashes is becoming a Chinese specialty.

Basically this has no real world impact as of right now. By that I mean, finding hash collisions isn't going to be something that can be done overnight. In fact, it would take a lot of computers to bring it even into the realm of a lifetime. So the average hacker can't make use of this info.

It's still definitely of note, though.

[Severed Hand of Skywalker]

Originally posted by TETENAL:
Are you calling me a nazi or what? Who do do think you are?

Are you saying that just because someone is German they are a Nazi?

[turtle777]

Originally posted by Severed Hand of Skywalker:
Are you saying that just because someone is German they are a Nazi?

Seriously, you're getting it even WRONGER than he did
There were TWO Germans talking to EACH OTHER !

-t

[Oisín]

Originally posted by turtle777:
Man, Alter, jetzt oute dich nicht so als Depp.

DAS IST EIN LEGITIMES DEUTSCHES SPRICHWORT welches nix, GARNIX, REIN GARNIX mit Nazis zu tun hat.

I can confirm this - my former flatmates said it all the time, that's how I knew what it meant. It's like "ro på, Mulle" in Danish

[Millennium]

A fair number of secure applications use both MD5 and SHA-1 to validate things, and both checksums must match.

This is probably more the wave of the future, because even if each algorithm is cracked individually, cracking the combination will be much, much harder.

[turtle777]

Originally posted by Millennium:
A fair number of secure applications use both MD5 and SHA-1 to validate things, and both checksums must match.

This is probably more the wave of the future, because even if each algorithm is cracked individually, cracking the combination will be much, much harder.

Actually, that is not true. Just using both is not much more secure.

The fact that a longer Hash value does not mean more security automatically applies unfortunately also to cohering two different Hash values over the same message, like a combination of MD5 and Sha-1. Alternative ones, which use Blockchiffres, are usually too slow.

(translated from German by Google)

http://www.heise.de/security/artikel/56555/2

-t

[sugar_coated]

All that were made will be broken.

[Steve]

This is actually a bigger problem then you're all thinking.

A Bruce Schneier article talks about the real repercussions.

"Using a modified DES Cracker, for the small sum of up to $38M, SHA-1 can be broken in 56 hours, with current computing power. In 18 months, the cost should go down by half. "

Slashdot linked to the article and there are some good posts in it as well.

[turtle777]

Originally posted by sugar_coated:
All that were made will be broken.

Your brain already has been !

-t

[turtle777]

Originally posted by Steve:
This is actually a bigger problem then you're all thinking.

"Using a modified DES Cracker, for the small sum of up to $38M, SHA-1 can be broken in 56 hours, with current computing power. In 18 months, the cost should go down by half. "

But all that would do is enable someone to create a document with the *SAME* hash value as an existing document. That is far from being able to exploit it in the sense of being able to *manipulate* an existing document and still get the same hash in the end.

And even if this would be possible, that still does NOT directly affect the security of SSH or IPSec.

-t