RE: sha-1 cryptography

["David Gillett" <gillettdavid () fhda edu>]

  MD5 and SHA-1 are not used to ensure Confidentiality, but to
check Integrity.  So it's not appropriate to use them to secure
the confidentiality of passwords or credit card numbers or the
like.  They are routinely used with plaintext versions of the
hashed data.
  The two cases where they are useful are to demonstrate
cryptographically:

(a) that THIS group of bits is the same as THAT group of bits
    e.g., this image that I've done my forensic analysis on
          is an exact copy of the contents of the hard drive
          in the defendant's computer

(b) that THIS message was "signed" by someone who had access to
    the private key which corresponds to the public key that
    THAT certificate authority asserts belongs to THAT entity
    e.g., this message is really from Alice, because somebody
          used her private key (which only she should have) to
          encrypt a *correct hash* of the message

  The breakage is that the correspondences are no longer certain
to be unique; this drive image might be of a different drive, this
digital signature might have been copied from a different message.

  Solutions are basically two:

1.  There are new stronger SHA versions available.

2.  It will be a while before anyone can reliably break *both*
    hashes with the same data bits.  So, for instance, forensic
    examiners can start using both MD5 and SHA-1 together to 
    establish fidelity of images.

David Gillett
 

> -----Original Message-----
> From: Enquiries [mailto:enquiries () globalart4u com] 
> Sent: Tuesday, December 20, 2005 10:37 AM
> To: Security-Basics (E-mail)
> Subject: sha-1 cryptography
>
> Dear All
>
> I understand that SHa-1 cryptography has been broken by the 
> same person who broke MD5, xiaoyun Wang.  So what does that 
> mean for password security and credit card transactions etc.  
> Does that mean we will need to look for other stronger 
> cryptography solutions and if yes what do you recommend, 
> especially for passwords?
>
> thanks
>
> Tallat
>
>
> www.macklamm.com - moving to brussels? looking for accommodation?
> www.globalart4u.com - art and crafts - give the gift of 
> originality www.macklamm.org - latest list of vat exempt gold 
> coins for investment now available
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.371 / Virus Database: 267.14.1/207 - Release 
> Date: 19/12/05
>
>
>
> --------------------------------------------------------------
> -------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE 
> The Norwich University program offers unparalleled Infosec 
> management education and the case study affords you unmatched 
> consulting experience. 
> Tailor your education to your own professional goals with 
> degree customizations including Emergency Management, 
> Business Continuity Planning, Computer Emergency Response 
> Teams, and Digital Investigations. 
>
> http://www.msia.norwich.edu/secfocus
> --------------------------------------------------------------
> --------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------