On Fri, 2005-02-18 at 09:24 -0200, Gerhard Fiedler wrote:
> Mike Hawkshaw wrote:
> 
> > http://www.theregister.co.uk/2005/02/17/sha1_hashing_broken/
> > 
> > Long rumored and now official, the popular SHA-1 hashing algorithm has been
> > attacked successfully by researchers in China and the US......
> 
> Not really... they only found a collision, which in most applications is
> not a successful attack. 

Actually I believe it is. By being able to find a collision one opens up
the possibility of spoofing. That's a pretty serious breach and I would
consider it "attacked successfully".

Now, should we all head for the hills? Of course not. Are we surprised
that SHA-1 was breached? Of course not. What IS surprising is that it
took far fewer operations to do then at first thought necessary.

All hashing algorithms can be breached. The only "safe" part about most
of them is the operations required to breach them. The fact that SHA-1
can be breached with many magnitudes fewer operations is significant.

In a way this is kind of a similar situation to WEP on WiFi: due to the
numbers of bits everyone thought it would take a huge amount of
computing power to derive the key. Turns out by using a few clever
tricks the KEY to a 128bit WEP connection can be gathered in far less
time, sometimes only a few hours (depending on the traffic that AP is
carrying). Again it wasn't a surprise that WEP WAS breached, it WAS a
surprised that it could be breached so easily.

It's like a combination lock that is supposed to require 14 numbers to
open. But by using a clever trick can be opened with only 4 numbers.
It's still hard to open, but it's far less hard to go through the
combinations of 4 numbers then it is to go through the combinations of
14 numbers! :) TTYL


-----------------------------
Herbert's PIC Stuff:
http://repatch.dyndns.org:8383/pic_stuff/

-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist