http://www.theregister.co.uk/2009/06/10/digital_signature_weakness/ By Dan Goodin in San Francisco The Register 10th June 2009 Cryptographers have found new chinks in a widely-used digital-signature algorithm that have serious consequences for applications that sign email, validate websites, and carry out dozens of other online authentication functions. The researchers, from Macquarie University in Sydney, Australia, found a way to break the SHA-1 algorithm in significantly fewer tries than previously required. Although the hash function was previously believed to withstand attempts numbering 2-63, the researchers have been able to whittle that down to 2-52, a number that puts practical attacks well within grasp of well-funded organizations. Secure hashing algorithms are designed to reduce text or digital files to a unique series of letters and numbers that is often compared to the document's signature. The findings, which were published Wednesday here (PDF) [1], mean it's easier to create what cryptographers call collisions in SHA-1, in which two different sources share the same the same output. "I'm expecting that we'll start seeing SHA-1 collisions before the end of the year, if not sooner," said Paul Kocher, president and chief scientist at Cryptography Research, a San Francisco-based consultancy. "For applications that fail because of collisions, you need to be really worried." [1] http://eprint.iacr.org/2009/259.pdf [...] _____________________________________________ Visit the InfoSec News security bookstore! http://www.shopinfosecnews.orgReceived on Thu Jun 11 2009 - 00:17:56 PDT
This archive was generated by hypermail 2.2.0 : Thu Jun 11 2009 - 00:27:15 PDT