Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    New Research Casts Doubts About SHA-1s Effectiveness

    By
    Dennis Fisher
    -
    February 18, 2005
    Share
    Facebook
    Twitter
    Linkedin

      A forthcoming paper by a set of Chinese security researchers lays out several newly discovered problems with the SHA-1 hash algorithm, a standard that is used the world over.

      The paper, written by three researchers at Shandong University in China, describes a series of collisions in the algorithm that can allow attackers to forge digital signatures. SHA-1, like MD5 and other similar algorithms, is used to compute a hash, or digest version of a set of data. That digest is then used to generate a digital signature.

      A collision occurs when two separate messages have the same hash value. This would in turn call into question the validity of other signatures generated by the same hash algorithm. The research done by the Shandong team—Xiaoyun Wang, Yiqun Lisa Yin and Hongbo Yu—builds upon previous work on collisions in SHA-1, but their findings show that it is possible to cause collisions much faster than previously thought.

      SHA-1 is used in dozens of common applications and is the basis for the digital signature function in protocols such as SSL (Secure Sockets Layer), which is used to encrypt traffic flowing to and from millions of Web sites. The new research does not allow attackers to decrypt this traffic, but instead creates doubt about the validity of the signatures generated by the protocol.

      “This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, major cryptanalytic result. It pretty much puts a bullet into SHA-1 as a hash function for digital signatures,” Bruce Schneier, chief technology officer at Counterpane Internet Security Inc. and a noted cryptographer, wrote on his Web site this week.

      The new paper was a prime topic of conversation among the crypto community at the RSA Conference this week. Although the paper has yet to be published, many cryptographers have seen portions of it and say they are impressed by the work the Chinese team did.

      “Its a phenomenal piece of work. As cryptographers, we knew this was coming, but not this soon or this severe,” Schneier said in an interview. “When you break NSA [National Security Agency] technology, you feel doubly good because its alien technology. Its dropped in your lap, and you know nothing about it.”

      SHA-1, along with MD5, is one of the more common hash algorithms in use today, and until recently had been considered quite solid. The National Security Agency developed SHA-1 in the mid-1990s, and it received FIPS (Federal Information Processing Standard) certification as the Secure Hash Standard in 1995 from the National Institute of Standards and Technology.

      For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      “The SHA-1 is called secure because it is computationally infeasible to find a message which corresponds to a given message digest, or to find two different messages which produce the same message digest,” NIST said in its announcement of SHA-1 as the Secure Hash Standard.

      Schneier emphasized that attacks on SHA-1 are still incredibly difficult and resource-intensive, and that newer hash algorithms, such as SHA-256, are available.

      “Its time to walk, not run, to the fire exits. You cant see the fire, but you can feel the heat,” he said. “This is at the far edge of feasibility right now. But its very serious. Hash functions are the most commonly used cryptographic primitive. Far more so than encryption. SHA-1 is everywhere.”

      Check out eWEEK.coms for the latest security news, reviews and analysis.

      Dennis Fisher

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×