Friday, February 25, 2005
Encryption: SHA-1 broken. (Be afraid, be very afraid!)
The news broke out last week at slashdot.
Essentially, SHA-1 is a (One way) Hash Algorithm used in many electronic communications.
Two of the most commonly used are MD5 and SHA-1. The accepted differences between these two algorithms is that MD5 are faster but has a lesser amount of security than SHA-1 (lesser amount of security means that it can be broken in less time)
Other secure Hash algorithms are MD2, MD4, HAVAL, REPIMD-128/160/256/320, HAS160, Tiger, etc.
Before going further, let's just differentiate a bit between some of these encryption jargons...
Hash algorithms are computations/operations that converts a message to produce hash values, but only one way. Meaning, [F(m) = H ] a message applied by a hash function will produce H, but you can't derive m from the hash value (H) and the hash function (F)...(Well, now we now that you can)
Encryption or Cryptographic algorithms like RC4, Blowfish, DES, 3DES, AES are typically more complex algorithms which are reversible and uses secret keys.
[Tidbits]
Blowfish, DES, 3DES (Triple DES) and AES (Advanced Encryption Standard) are block ciphers, as opposed to stream ciphers like RC4 and A5 (A5 by the way is the algorithm used to encrypt GSM communications)
Now the bad news is, SHA-1 is used in many cryptographic protocols like SSH (secure remote access), in SSL (secure HTTP), in S/MIME (secure email), in PGP (Public key encryption), IPSec, VPNs, Database passwords, etc.
So Be afraid, be very afraid!?...well, not really. at least not for now. SHA-1 hashes are usually just part of these cryptographic protocols and session lifetimes of these types of communications are just too short. The initial recommendation is to switch to SHA-256.
You can check out the details of this crypto algorithm biting the dust at
http://www.itnetcentral.com/pcworld/article.asp?id=14299
(Yey! It's a holiday tomorrow!) :)
Essentially, SHA-1 is a (One way) Hash Algorithm used in many electronic communications.
Two of the most commonly used are MD5 and SHA-1. The accepted differences between these two algorithms is that MD5 are faster but has a lesser amount of security than SHA-1 (lesser amount of security means that it can be broken in less time)
Other secure Hash algorithms are MD2, MD4, HAVAL, REPIMD-128/160/256/320, HAS160, Tiger, etc.
Before going further, let's just differentiate a bit between some of these encryption jargons...
Hash algorithms are computations/operations that converts a message to produce hash values, but only one way. Meaning, [F(m) = H ] a message applied by a hash function will produce H, but you can't derive m from the hash value (H) and the hash function (F)...(Well, now we now that you can)
Encryption or Cryptographic algorithms like RC4, Blowfish, DES, 3DES, AES are typically more complex algorithms which are reversible and uses secret keys.
[Tidbits]
Blowfish, DES, 3DES (Triple DES) and AES (Advanced Encryption Standard) are block ciphers, as opposed to stream ciphers like RC4 and A5 (A5 by the way is the algorithm used to encrypt GSM communications)
Now the bad news is, SHA-1 is used in many cryptographic protocols like SSH (secure remote access), in SSL (secure HTTP), in S/MIME (secure email), in PGP (Public key encryption), IPSec, VPNs, Database passwords, etc.
So Be afraid, be very afraid!?...well, not really. at least not for now. SHA-1 hashes are usually just part of these cryptographic protocols and session lifetimes of these types of communications are just too short. The initial recommendation is to switch to SHA-256.
You can check out the details of this crypto algorithm biting the dust at
http://www.itnetcentral.com/pcworld/article.asp?id=14299
(Yey! It's a holiday tomorrow!) :)
# posted by umberto @ 2:14 AM 
gs