MD5 and Sha-1 Problems
Moderator: General Moderators
MD5 and Sha-1 Problems
Last edited by xudzh on Sat Apr 23, 2005 1:38 pm, edited 1 time in total.
More about SHA-1 http://www.schneier.com/blog/archives/2 ... sis_o.html
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
might want to take a look at feyd's sha256 class here if your interested in better security.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Wikipedia gives a quite good explanation on SHA-1:
http://en.wikipedia.org/wiki/SHA-1#Cryp ... s_of_SHA-1
Specifically:
EDIT - Kantissa's link explains this very well, actually.
http://en.wikipedia.org/wiki/SHA-1#Cryp ... s_of_SHA-1
Specifically:
As of now, all these attacks are not based upon taking a pre-existing hash and then making another message that duplicates it: rather, they're using "birthday attacks" to find collisions. While, in essence, this is a step towards totally breaking the hash, it does not mean that it is totally invalidated.In academic cryptography, any attack that has less computational complexity than the expected time needed for brute force is considered a break [9] (http://www.schneier.com/paper-self-study.html). This does not, however, necessarily mean that the attack can be practically exploited. Wang et. al. suggest that collisions for SHA-1 reduced to 70 rounds could be "found using today's supercomputers". It might also be possible for the full SHA-1 to be tackled by a relatively large organization willing to invest months of PC idle time organization-wide or invest in custom hardware, assuming that the attack is parallelizable, which is unclear at this time.
EDIT - Kantissa's link explains this very well, actually.
The thread title is confusing/misleading.
Neither MD5 nor SHA-1 have been *broken*.
Cracked is a really poor term, and the crypto community tries to avoid it for just this reason.
There have been substantial findings over the last two years for both that have found weaknesses in each. The weaknesses decrease both the brute force attack time (lower probability birthday attacks), *and* allow different inputs to result in the same hash.
The latter is the big shock, because as a result, it renders many systems vulnerable. Tripwire, router tables, CD ISO images, and more all relied on either MD5 or SHA-1 for hash verification that a input was intact, and matched a known-good source.
The net result is that it will become harder soon to detect rootkits, or trojan-infected cd images. It will also reduce the difficulty in attacking routers.
For web-based apps, the input/hash attack doesnt matter much at all. The lower brute force attack time that comes about as a RESULT of the input/hash attack does. The result is that a crypto function that used to take years to brute force is now crackable on a laptop in hours! (md5)
When you then factor in the number of people that use the *same* password on multiple websites - bank, these forums, some online game... you see that the security of a huge number of people has gotten far lower.
Thats why its important for responsible coders to implement security properly if they can - regardless of what the application is!
An online game is almost as dangerous as a bank website, if you use the same login for both.
For all those reasons, I highly recommend Feyd's sha-256 implementation. All the projects I work on will be migrated to use it.
Neither MD5 nor SHA-1 have been *broken*.
Cracked is a really poor term, and the crypto community tries to avoid it for just this reason.
There have been substantial findings over the last two years for both that have found weaknesses in each. The weaknesses decrease both the brute force attack time (lower probability birthday attacks), *and* allow different inputs to result in the same hash.
The latter is the big shock, because as a result, it renders many systems vulnerable. Tripwire, router tables, CD ISO images, and more all relied on either MD5 or SHA-1 for hash verification that a input was intact, and matched a known-good source.
The net result is that it will become harder soon to detect rootkits, or trojan-infected cd images. It will also reduce the difficulty in attacking routers.
For web-based apps, the input/hash attack doesnt matter much at all. The lower brute force attack time that comes about as a RESULT of the input/hash attack does. The result is that a crypto function that used to take years to brute force is now crackable on a laptop in hours! (md5)
When you then factor in the number of people that use the *same* password on multiple websites - bank, these forums, some online game... you see that the security of a huge number of people has gotten far lower.
Thats why its important for responsible coders to implement security properly if they can - regardless of what the application is!
An online game is almost as dangerous as a bank website, if you use the same login for both.
For all those reasons, I highly recommend Feyd's sha-256 implementation. All the projects I work on will be migrated to use it.
-
magicrobotmonkey
- Forum Regular
- Posts: 888
- Joined: Sun Mar 21, 2004 1:09 pm
- Location: Cambridge, MA
allow different inputs to result in the same hash.
The thing is, just because two inputs can result in the same hash, doesn't mean that any inputs besides the 'true' one will be useful at all. Another input that results in the same hash would probably have to be full of just nonesense. Taking a cd image and changing it a little by adding a virus and then getting the same hash by adding some nonesense will not be possible.The net result is that it will become harder soon to detect rootkits, or trojan-infected cd images. It will also reduce the difficulty in attacking routers.
No - the latest findings actually demonstrates *constructing* a package that matches a known md5 signature.magicrobotmonkey wrote: The thing is, just because two inputs can result in the same hash, doesn't mean that any inputs besides the 'true' one will be useful at all. Another input that results in the same hash would probably have to be full of just nonesense. Taking a cd image and changing it a little by adding a virus and then getting the same hash by adding some nonesense will not be possible.
So yes, it is provably possible to add a trojan to a known good ISO, and yet still have a legitimate md5sum.
I'll try to find the link to the paper and post it when I get a chance.