Security Basics mailing list archives
Re: sha-1 cryptography
From: Saqib Ali <docbook.xml () gmail com>
Date: Fri, 23 Dec 2005 12:58:38 -0800
When you say "broken" do you mean a "Pre-image" attack or a "Collision" attack. The distinction is very critical when using a hashing algorithm in cryptography. See definition of each type attack below: http://en.wikipedia.org/wiki/Collision_attack http://en.wikipedia.org/wiki/Pre-image_attack
From your post I think you are refering to "Collision" attack.
Collision attacks are possible but it is very very complex to mount a "USEFUL" attack using Collision. For e.g. Pre-image attack is required for tempering with arbitrary (given) piece of code from a legitimate vendor that has been Digitally Signed. A collision attack on code-signing will work only if the attacker is writing both the innocuous and the malicious programs. In that case why would you trust even a innocuous program from an attacker (known mal-ware developer) ???? For simple hashing of passwd I think SHA-1 is still more than enough.
I understand that SHa-1 cryptography has been broken by the same person who broke MD5, xiaoyun Wang. So what does that mean for password security and credit card transactions etc. Does that mean we will need to look for other stronger cryptography solutions and if yes what do you recommend, especially for passwords?
-- Saqib Ali, CISSP http://www.xml-dev.com/blog/ "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- sha-1 cryptography Enquiries (Dec 21)
- Re: sha-1 cryptography Marcos Marado (Dec 26)
- RE: sha-1 cryptography David Gillett (Dec 26)
- Re: sha-1 cryptography Bennett Todd (Dec 26)
- Re: sha-1 cryptography Saqib Ali (Dec 26)
- <Possible follow-ups>
- RE: sha-1 cryptography Zachary Richmond (Dec 26)