[ISN] Crypto researchers abuzz over flaws
isn at c4i.org
Wed Aug 18 06:54:06 EDT 2004
By Declan McCullagh
Staff Writer, CNET News.com
August 17, 2004
update: Encryption circles are buzzing with news that mathematical
functions embedded in common security applications have previously
The excitement began Thursday with an announcement that French
computer scientist Antoine Joux had uncovered a flaw in a popular
algorithm called MD5, often used with digital signatures. Then four
Chinese researchers released a paper that reported a way to circumvent
a second algorithm, SHA-0.
While their results are preliminary, these discoveries could
eventually make it easier for intruders to insert undetectable back
doors into computer code or to forge an electronic signature--unless a
different, more secure algorithm is used.
A third announcement, which was even more anticipated, took place
Tuesday evening at the Crypto 2004 conference in Santa Barbara, Calif.
The other papers also were presented at the conference.
Eli Biham and Rafi Chen, researchers at the Israel Institute of
Technology, originally were scheduled to present a paper identifying
ways to assail the security in the SHA-0 "Secure Hash Algorithm,"
which was known to have imperfections. In a presentation Tuesday
evening, however, Biham reported some early work toward identifying
vulnerabilities in the SHA-1 algorithm, which is believed to be
Biham's presentation was very preliminary, but it could call into
question the long-term future of the wildly popular SHA-1 algorithm
and spur researchers to identify alternatives.
Currently considered the gold standard of its class of algorithms,
SHA-1 is embedded in popular programs like PGP and SSL. It's certified
by the National Institute of Standards and Technology and is the only
signing algorithm approved for use in the U.S. government's Digital
Signature Standard. SHA-1 yields a 160-bit output, which is longer
than MD5's 128-bit output and is considered more secure.
Jim Hughes, general chairman of the Crypto 2004 conference, said on
Tuesday morning that the news was sufficiently important that he was
organizing the first Webcast in the conference's 24-year history.
"There are three significant rump session papers on hash collisions
that will be presented," including an update on Joux's findings,
Hughes said in a message to a cryptography-related mailing list.
"If you could find two contracts that hash out to the same signature,
you could replace one with the other and in a court of law there would
be at least an ambiguity about which one is valid," Hughes, a senior
fellow at StorageTek, said in a telephone interview. "That's a very
The MD5, SHA-0, and SHA-1 algorithms are known to computer scientists
as hash functions. They take all kinds of input, from an e-mail
message to an operating-system kernel, and generate what's supposed to
be a unique fingerprint. Changing even one letter in the input file
results in a completely different fingerprint.
Security applications rely on these fingerprints being unique. But if
a malicious attacker could generate the same fingerprint with a
different input stream, the cloned fingerprint--known as a hash
collision--would certify that software with a back door is safe to
download and execute. It would help a crook who wanted to falsely sign
an e-mail instructing that someone's bank account be emptied.
Because researchers have long known that no practical encryption
algorithm can be completely secure, they attempt to design ones that
take an inordinately long time to generate duplicate fingerprints.
SHA-1 is regarded as secure because it is not possible to knowingly
generate hash collisions using existing techniques.
The SHA-1 algorithm relies on a computer executing a routine 80 times
in an attempt to create a unique fingerprint. Biham said that he had
been been able to duplicate the fingerprint for 36 of those 80 rounds.
If vulnerabilities similar to those identified in SHA-0 are eventually
discovered in SHA-1, that would mean that attempts to forge a
fingerprint would be accelerated by about 500 million times--putting
it within theoretical reach of a network of fast PCs.
The weakness in the MD5 algorithm may be the more immediate threat.
The open-source Apache Web server product uses MD5 hashes to assure
the public that source code on dozens of mirror sites is not modified
and is safe to run. So does Sun Microsystems' Solaris Fingerprint
Database, which the company says can "verify that a true file in an
official binary distribution is being used, and not an altered version
that compromises system security."
MD5's flaws that have been identified in the past few days mean that
an attacker can generate one hash collision in a few hours on a
standard PC. To write a specific backdoor and cloak it with the same
hash collision may be much more time-intensive.
Still, Hughes says that programmers should start moving away from MD5.
"Right now the algorithm has been shown to be weak," he said. "Before
useful (attacks) can be done, it's time to migrate away from it."
More information about the ISN