SHA-1 Broken by Cryptographers from Sydney
Australian cryptographers have discovered new bugs and exploitable vulnerabilities in the widely popular SHA-1 digital signature algorithm that could create grave repercussions for SHA-1-based applications that validate websites, sign e-mail, and undertake numerous other online verification functions.
On that note, the Macquarie University researchers based in Sydney, Australia has recently found a viable means to compromise one such algorithm in considerably fewer attempts than normally needed.
To the non-tech-savvy layman, 11 less attempts may seem like a negligible difference, but to well-funded cyber criminals everywhere, that number puts practical hacker attacks within the realm of possibility.
The cryptologists' findings, which were published yesterday
Shows that it's now easier to develop what the researchers call as collisions in SHA-1, in which a pair of divergent sources share the same output.
He adds that many people are particularly worried about applications that are most likely to be compromised by these collisions.
Using the computing power of more than 200 PlayStation 3 consoles, they created rogue certifications and credentials needed by botnets to masquerade as reputable websites dependent on that security measure.
The vulnerability led to certificate authorities like VeriSign's RapidSSL to alter the way they produce SSL (Secure Sockets Layer) certificates for websites.
This technique dramatically decreases the expenses needed to launch a feasible collision attack by a factor of more than 2,000 compared to earlier methods.
As of this writing, the research paper has not yet been peer reviewed.
With these latest findings in algorithm limits, it looks like developers need to develop an MD500 or SHA-9999 algorithm in the near future, if they haven't already.