http://washingtontimes.com/national/20050311-123922-9537r.htm By Bill Gertz and Rowan Scarborough THE WASHINGTON TIMES March 11, 2005 [...] China breaks code? The U.S. code-breaking community is worried about China's advances in cracking U.S. codes. Three Chinese cryptologists last month reported they had found a way to crack a U.S. government-approved information security system known as SHA-1, or Secure Hash Algorithm-1. The SHA-1 encryption is used widely within the U.S. government, including the Pentagon and U.S. intelligence community. It is currently the Federal Information Processing Standard and has been since 1994. Put simply, SHA-1 is a security authentication device that is used to verify the integrity of digital media, and to make sure that data or messages, such as secure e-mail, are not changed during transmission. Chinese researchers, Xiaoyuan Wang, Yiqun Lisa Yin and Hongbo Yu reported in a paper Feb. 13 that they had "developed new techniques that are very effective" for breaking SHA-1 code, without using time-consuming "brute force" attacks. The National Institute of Standards and Technology (NIST), which made SHA-1 a federal standard, said in a statement that it could not confirm the Chinese code-breaking but noted that the three researchers are "reputable" specialists with cryptographic expertise. NIST said the new "attack" or code-breaking "is of particular importance in digital signature applications, such as time-stamping, and notarization." But the institute sought to play down the implications of the Chinese claim, stating that the method described in the paper will be "difficult to carry out in practice." Still, the U.S. government is phasing out SHA-1 over the next five years. "Due to advances in computing power, NIST already planned to phase out SHA-1 in favor of the larger and stronger hash functions (SHA-224, SHA-256, SHA-384 and SHA-512) by 2010," the statement said. Disclosure of the code break followed China's publication of a defense white paper in December that identifies the use of information technology as a central element of Chinese military doctrine. U.S. defense officials say China's military believes its cyber-soldiers can successfully cripple the U.S. military by attacking key computer-run infrastructures and other information networks. Daniel E. Spisak, a private security engineer, said China is capable of building its own SHA-1 "cracker" using computers. "This could potentially allow them to access sensitive systems," he said. "However, from what small knowledge I do have of how secure data links get set up for some kinds of DOD projects, I think it would be very difficult to exploit the SHA-1 [code break] to their advantage." The danger, he noted in an e-mail, is that China could exploit a security lapse in U.S. government networks and systems. Mr. Spisak said as long as U.S. government computers are properly protected by multiple layers of defense and authentication mechanisms, "one can ensure it is sufficiently difficult to gain illegal access to sensitive networks and systems even with one part failing." But if proper security precautions are not taken, "then all bets could be off," he said. Bruce Schneier, a cryptography and security specialist, said the Chinese breakthrough is not alarming. But he noted that within the U.S. National Security Agency there is an old saying: "Attacks always get better; they never get worse." [...] _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Mon Mar 14 2005 - 09:11:44 PST