Best State of Art IT Security Solutions
The best Innovative and powerful IT Security products

You are here: SecPoint & IT Security News

SHA-1 Broken by Cryptographers from Sydney

Australian cryptographers have discovered new bugs and exploitable vulnerabilities in the widely popular SHA-1 digital signature algorithm that could create grave repercussions for SHA-1-based applications that validate websites, sign e-mail, and undertake numerous other online verification functions.

Secure hashing algorithms were specifically developed to reduce digital or text files to a distinctive series of numbers and letters that is often measured up to the document's signature. On that note, the Macquarie University researchers based in Sydney, Australia has recently found a viable means to compromise one such algorithm in considerably fewer attempts than normally needed.

Even though the hash function of the algorithm was alleged to endure and survive 263 breaching attempts, the cryptographers have managed to reduce that figure to a mere 252. To the non-tech-savvy layman, 11 less attempts may seem like a negligible difference, but to well-funded cyber criminals everywhere, that number puts practical hacker attacks within the realm of possibility.

The cryptologists' findings, which were published yesterday

Shows that it's now easier to develop what the researchers call as collisions in SHA-1, in which a pair of divergent sources share the same output.

Paul Kocher, the chief scientist and president of the San-Francisco-based Cryptography Research consultancy, says that he's expecting SHA-1 collisions to become a lot more commonplace by the end of 2009, if not sooner. He adds that many people are particularly worried about applications that are most likely to be compromised by these collisions.

Just last year, the MD5 algorithm was exposed as faulty by a couple of independent Internet security researchers. Using the computing power of more than 200 PlayStation 3 consoles, they created rogue certifications and credentials needed by botnets to masquerade as reputable websites dependent on that security measure. The vulnerability led to certificate authorities like VeriSign's RapidSSL to alter the way they produce SSL (Secure Sockets Layer) certificates for websites.

The new, Aussie-discovered hacking method merges a boomerang attack with what's identified as a nonlinear differential path. This technique dramatically decreases the expenses needed to launch a feasible collision attack by a factor of more than 2,000 compared to earlier methods. As of this writing, the research paper has not yet been peer reviewed.

Previous hashes like MD4 and SHA-0 have also shown a weakness against collisions generated by reasonably affordable ways. With these latest findings in algorithm limits, it looks like developers need to develop an MD500 or SHA-9999 algorithm in the near future, if they haven't already.

Powerful UTM Firewall, Vulnerability Scanner, WiFi Penetration Testing software

SecPoint is specialized to deliver the best IT security solutions and products.

Compatible with Product
Securely protected by SecPoint
Customer reference King Customer reference New York Customer reference ROC Customer reference Rochdale Customer reference Roscrea Customer reference Tradetracker Customer reference Unicef Customer reference King Customer reference New York Customer reference Roc Customer reference Rochdale Customer reference Roscrea Customer reference Tradetracker Customer reference Unicef