For those who haven't seen it yet, Bruce Schneier's blog has a post about SHA-1 being 'broken' (http://www.schneier.com/blog/archives/2005/02/sha1_broken.html).
Interesting article and it seems to involve hash collisions. I wonder how long it will take to convert these heathens to a strong random pad based encryption ? :green2
This is a nice site, seems like rainbow tables are indeed worthy: http://www.passcracking.com
What's he mean by broken? Like instantly crackable?
It means someone has found a way to defeat the encryption. It wil still take a lot of knowhow and computer power to do it but the jist or the research was that the range to brute force crack the encryption is a lot smaller than originally thought.
SHA-1 is a cryptographic hash algorithm and not an encryption algorithm :naughty:.
SHA-1 is 'broken' in the sense that they devised a method for finding collisions (two messages that result in the same hash) which is faster than brute force (2^69 tries instead of 2^80).
While this probably does not pose a huge security problem in most cases, it does show some potential weakness in the algorithm.
So, how much difference does that amount to in computing time?
80 – 69 = 11
2 ^ 11 = 2048
A substantial reduction, but assuming a 3GHz clock and one try per clock cycle (not possible for a single processor), 2 ^ 69 tries would still take ~6,235 years. So currently, it would still be "computationally infeasible to find a message which corresponds to a given message digest, or to find two different messages which produce the same message digest." Then again, you could find it on the first try :bg
Quote from: MichaelW on February 17, 2005, 07:22:26 PM
80 – 69 = 11
2 ^ 11 = 2048
A substantial reduction, but assuming a 3GHz clock and one try per clock cycle (not possible for a single processor), 2 ^ 69 tries would still take ~6,235 years. So currently, it would still be "computationally infeasible to find a message which corresponds to a given message digest, or to find two different messages which produce the same message digest." Then again, you could find it on the first try :bg
6,235 years is a worst case scenario.
Given a 'birthday attack,' the time would be more like 79 years. (ie. how long before you have more than 50% chance of 'getting lucky.')
The humour is it is well known that governments of various pursuasions have some very big computer grunt to reduce these problems from years to a far smaller time scale. I remember one of the better known 54 bit encryptions was broken a few years ago but the match rate of keys was some amazing number per second. I am pretty much of the view that any system that can be exhausted on a key count is dead meat.
For its many problems and difficulty to implement, a highly random pad is hard to beat if it is used properly.
I'm pretty sure that the 5 32 bit init. vars have those values for a particular reason (or more). It can leave a backdoor for the people who need it (the designers, NIST, along with the NSA).