Security Basics mailing list archives
RE: sha-1 cryptography
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 22 Dec 2005 09:34:33 -0800
MD5 and SHA-1 are not used to ensure Confidentiality, but to check Integrity. So it's not appropriate to use them to secure the confidentiality of passwords or credit card numbers or the like. They are routinely used with plaintext versions of the hashed data. The two cases where they are useful are to demonstrate cryptographically: (a) that THIS group of bits is the same as THAT group of bits e.g., this image that I've done my forensic analysis on is an exact copy of the contents of the hard drive in the defendant's computer (b) that THIS message was "signed" by someone who had access to the private key which corresponds to the public key that THAT certificate authority asserts belongs to THAT entity e.g., this message is really from Alice, because somebody used her private key (which only she should have) to encrypt a *correct hash* of the message The breakage is that the correspondences are no longer certain to be unique; this drive image might be of a different drive, this digital signature might have been copied from a different message. Solutions are basically two: 1. There are new stronger SHA versions available. 2. It will be a while before anyone can reliably break *both* hashes with the same data bits. So, for instance, forensic examiners can start using both MD5 and SHA-1 together to establish fidelity of images. David Gillett
-----Original Message----- From: Enquiries [mailto:enquiries () globalart4u com] Sent: Tuesday, December 20, 2005 10:37 AM To: Security-Basics (E-mail) Subject: sha-1 cryptography Dear All I understand that SHa-1 cryptography has been broken by the same person who broke MD5, xiaoyun Wang. So what does that mean for password security and credit card transactions etc. Does that mean we will need to look for other stronger cryptography solutions and if yes what do you recommend, especially for passwords? thanks Tallat www.macklamm.com - moving to brussels? looking for accommodation? www.globalart4u.com - art and crafts - give the gift of originality www.macklamm.org - latest list of vat exempt gold coins for investment now available -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.1/207 - Release Date: 19/12/05 -------------------------------------------------------------- ------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- sha-1 cryptography Enquiries (Dec 21)
- Re: sha-1 cryptography Marcos Marado (Dec 26)
- RE: sha-1 cryptography David Gillett (Dec 26)
- Re: sha-1 cryptography Bennett Todd (Dec 26)
- Re: sha-1 cryptography Saqib Ali (Dec 26)
- <Possible follow-ups>
- RE: sha-1 cryptography Zachary Richmond (Dec 26)