Security Basics mailing list archives

RE: sha-1 cryptography

From: Zachary Richmond <zfrichmond () arrtmfg com>
Date: Thu, 22 Dec 2005 07:22:50 -0700


Dear All

I understand that SHa-1 cryptography has been broken by the same person who
broke MD5, xiaoyun Wang.  So what does that mean for password security and
credit card transactions etc.  Does that mean we will need to look for other
stronger cryptography solutions and if yes what do you recommend, especially
for passwords?

thanks

Tallat

From my understanding I wouldn't say it is broken, yet.


Here's a quote from Bruce Schneier on his blog:

"The panel stressed that these are collision attacks and not pre-image
attacks, and that many protocols simply don't care. Collision attacks
are important for digital signatures, but less so for other uses of
hash functions. On the other hand, this difference is only understood
by cryptographers; there are issues if the public believes that SHA-1
is "broken.""

Full entry see: 
http://www.schneier.com/blog/archives/2005/10/nist_hash_works_2.html

Another quote from a different entry:

"Developers need to know what hash function to use in their designs.
They need an answer today. (SHA-256 is what I tell people.) They'll
need an answer in a year."

Full entry see:
http://www.schneier.com/blog/archives/2005/11/nist_hash_works.html

I would recommend reading his blog.  There is much non-computer security
discussion, but he is one of the more outspoken cryptographers and tends
to knows what he is talking about.


    Zak

Zachary Richmond
Arrt Manufacturing, LLC



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

Current thread:

sha-1 cryptography Enquiries (Dec 21)
- Re: sha-1 cryptography Marcos Marado (Dec 26)
- RE: sha-1 cryptography David Gillett (Dec 26)
- Re: sha-1 cryptography Bennett Todd (Dec 26)
- Re: sha-1 cryptography Saqib Ali (Dec 26)
- <Possible follow-ups>
- RE: sha-1 cryptography Zachary Richmond (Dec 26)