Security Basics mailing list archives

Re: sha-1 cryptography

From: Saqib Ali <docbook.xml () gmail com>
Date: Fri, 23 Dec 2005 12:58:38 -0800

When you say "broken" do you mean a "Pre-image" attack or a
"Collision" attack. The distinction is very critical when using a
hashing algorithm in cryptography.

See definition of each type attack below:
http://en.wikipedia.org/wiki/Collision_attack
http://en.wikipedia.org/wiki/Pre-image_attack

From your post I think you are refering to "Collision" attack.

Collision attacks are possible but it is very very complex to mount a
"USEFUL" attack using Collision.

For e.g. Pre-image attack is  required for tempering with arbitrary
(given) piece of code from a legitimate vendor that has been Digitally
Signed. A collision attack on code-signing will work only if the
attacker is writing both the innocuous and the malicious programs. In
that case why would you trust even a innocuous program from an
attacker (known mal-ware developer) ????

For simple hashing of passwd I think SHA-1 is still more than enough.

I understand that SHa-1 cryptography has been broken by the same person who
broke MD5, xiaoyun Wang.  So what does that mean for password security and
credit card transactions etc.  Does that mean we will need to look for other
stronger cryptography solutions and if yes what do you recommend, especially
for passwords?



--
Saqib Ali, CISSP
http://www.xml-dev.com/blog/
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

Current thread:

sha-1 cryptography Enquiries (Dec 21)
- Re: sha-1 cryptography Marcos Marado (Dec 26)
- RE: sha-1 cryptography David Gillett (Dec 26)
- Re: sha-1 cryptography Bennett Todd (Dec 26)
- Re: sha-1 cryptography Saqib Ali (Dec 26)
- <Possible follow-ups>
- RE: sha-1 cryptography Zachary Richmond (Dec 26)