Page 1 of 1

Watch Out about SSL and Also md5(). Use sha1() Instead

Posted: Tue Dec 30, 2008 11:56 pm
by volomike
Read this...

http://hackaday.com/2008/12/30/25c3-hac ... -200-ps3s/

So basically, some guys in China have figured out how to make two separate files have the same md5 hash. Okay, that blows usage of md5() in PHP. Next, some other guys recently used that technique on a larger scale and were able to mimic Verisign certs for websites without having to pay Verisign. (Gosh, almost makes you want to go off and make one for all your sites, doesn't it?) Yeah, and that's a problem because now a guy with some advanced equipment in a van outside a wireless cafe can spoof PayPal or a bank site, even making it have an authentic Verisign cert that isn't authentic.

So, the advice is to use sha1() instead of md5() in PHP, but then we're likely to see improvements on SSL come forward out of this. I just hope it won't slow down the Internet, and that no one gets hacked while the Internet committees are working on the security improvements.

Oh, and as a side note, the RIAA is using the md5() algorithm in their court cases against illegal file sharers. They are impounding the evidence, performing an md5() hash check on all system files, and if they find a match and see that this was evidently shared from the same IP and that the person had a file sharing program on their PC, they are claiming the user broke the law. Well, now one can use this info I have here about md5() to show that finding an md5() file match is not proof alone that the file on the hard drive was not the one shared by that IP at that prior time.

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Posted: Wed Dec 31, 2008 1:03 am
by Peter Anselmo
I like the Wall of PS3's. Let's give a cheer to the Sony & Microsoft's business model that gives us computer hardware below cost.

It's a familiar cycle with encryption:

New stronger encryption introduced -> Computers get faster -> Encryption is broken -> New stronger encryption introduced...

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Posted: Wed Dec 31, 2008 2:50 am
by alex.barylski
PayPal or a bank site, even making it have an authentic Verisign cert that isn't authentic.
I Googled out of curiosity and found this: http://news.cnet.com/8301-1009_3-101296 ... riesArea.1

Yikes. I won't be doing any online banking for a while :P

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Posted: Wed Dec 31, 2008 8:14 am
by kaisellgren
Finally.

I was waiting for this to happen. MD5 was broken ever since '04, so it took roughly 5 years to exploit MD5 for 'valid' certificates.

In my opinion, moving from MD5 to SHA-1 is not a good choice.

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Posted: Wed Dec 31, 2008 10:47 am
by volomike
kaisellgren wrote:In my opinion, moving from MD5 to SHA-1 is not a good choice.
I'm actually not that familiar with the pluses and minuses of sha1() vs. md5() except sha1() generates a longer result than the other and sha1() hasn't been hacked yet that I'm aware of.

So, fill me in if you could, please.

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Posted: Wed Dec 31, 2008 11:08 am
by kaisellgren
volomike wrote:
kaisellgren wrote:In my opinion, moving from MD5 to SHA-1 is not a good choice.
I'm actually not that familiar with the pluses and minuses of sha1() vs. md5() except sha1() generates a longer result than the other and sha1() hasn't been hacked yet that I'm aware of.

So, fill me in if you could, please.
I am very aware of performance drop when using higher level hashes like SHA-3, RSA 2048bit or something else, because I have tested it myself on a busy site.

Still, servers are getting better and better, same applies to personal computers. We should jump over SHA-1 at once.

I am so excited in powerful yet cheap servers nowadays, SSDs are coming also soon :D theres already one host using them in production level.

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Posted: Thu Jan 01, 2009 10:13 am
by Mordred
The same chinese team who found problems with MD5 have also found problems with SHA-1 (not the same ones IIRC). That's why SHA-2 are currently recommended for use (SHA-256 in particular) and there is another public competition for a new hash function out there (Go go Bruce Schneier ;) )

As for the SHA-2 functions being slower, I'll loosely quote Schneier, that we have enough fast and insecure systems out there.

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Posted: Thu Jan 01, 2009 11:34 am
by volomike
Here's how to do sha2() since PHP doesn't have it:

on versions of PHP earlier than 5.1.2...
public static function sha2($s) {
return base64_encode(bin2hex(mhash(MHASH_SHA256,$s)));
}
on versions of PHP after that...
public static function sha2($s) {
return hash('sha256', $s);
}

SOURCES:
http://us3.php.net/manual/en/function.sha1.php#71213
http://www.php.net/manual/en/ref.hash.php

To see the full range of hash algorithms you might have, check out:

print_r(hash_algos());

On my PHP on Ubuntu 8.0.4.1 workstation, I get:

Array ( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha256 [5] => sha384 [6] => sha512 [7] => ripemd128 [8] => ripemd160 [9] => ripemd256 [10] => ripemd320 [11] => whirlpool [12] => tiger128,3 [13] => tiger160,3 [14] => tiger192,3 [15] => tiger128,4 [16] => tiger160,4 [17] => tiger192,4 [18] => snefru [19] => gost [20] => adler32 [21] => crc32 [22] => crc32b [23] => haval128,3 [24] => haval160,3 [25] => haval192,3 [26] => haval224,3 [27] => haval256,3 [28] => haval128,4 [29] => haval160,4 [30] => haval192,4 [31] => haval224,4 [32] => haval256,4 [33] => haval128,5 [34] => haval160,5 [35] => haval192,5 [36] => haval224,5 [37] => haval256,5 )

...and then there's also mcrypt(), but that's if you want to create something you can encrypt and unencrypt. Instead, the hash is a one-way thing where you encrypt with no way back, and use that to compare against an already known value.

BTW, on my Ubuntu workstation, it says I have this available for me from mcrypt after doing print_r(mcrypt_list_algorithms());.

Array ( [0] => cast-128 [1] => gost [2] => rijndael-128 [3] => twofish [4] => arcfour [5] => cast-256 [6] => loki97 [7] => rijndael-192 [8] => saferplus [9] => wake [10] => blowfish-compat [11] => des [12] => rijndael-256 [13] => serpent [14] => xtea [15] => blowfish [16] => enigma [17] => rc2 [18] => tripledes )

One can also use crc32 and tack on that value somehow as a parse-able prefix or suffix so that you have a double check to ensure one didn't disturb the hash improperly.

So, a lot to think about. I mean, for me, I like shorter strings, so I might be inclined to add some known random value slots in the prefix or suffix, such as the first 5 numbers are bogus and random. And then I might add a crc32 (parse-ably placed, of course) so that I could check the integrity of the hash coming into me. This ensures that I have the smallest hash possible. By using that technique, you might be able to keep using md5().

Re: Watch Out about SSL and Also md5(). Use sha1() Instead

Posted: Fri Jan 02, 2009 9:36 am
by kaisellgren
Mordred wrote:The same chinese team who found problems with MD5 have also found problems with SHA-1 (not the same ones IIRC). That's why SHA-2 are currently recommended for use (SHA-256 in particular) and there is another public competition for a new hash function out there (Go go Bruce Schneier ;) )

As for the SHA-2 functions being slower, I'll loosely quote Schneier, that we have enough fast and insecure systems out there.
I'm rooting for him (Bruce).

Skein is the name of the hash by the way.