Chris
05-06-2005, 01:59 PM
New research on several commonly used hash algorithms has revealed security weaknesses in e-commerce systems and the internet, according to experts.
Hash algorithms are used by computers to compare data, and are a cornerstone of encryption and IT security systems. However, experts have warned that hackers now require only 15 minutes to create two email messages that produce the same digital signatures when checked by the most commonly used hash algorithms.
Professor Yvo Desmedt, BT professor of information security at University College London (UCL), said, "This means there is a need for a new SSL [Secure Sockets Layer encryption] standard. Hopefully we have a few years to design one [provided no further weaknesses are found by researchers]."
Hackers could use this technique to conduct bank frauds, warned Professor Xiaoyun Wang, of the school of maths and system science at Shandong University and the Centre for Advanced Study at Tsinghua University, Beijing.
Wang is one of the world's leading experts in the field of hash algorithms. Her seminars at the UCL last week described how her team had already found collisions in a number of them.
A collision is where two different sets of data produce the same result from a hash function. Collisions would cause software comparisons of those two datasets to report them as identical.
Hash functions are designed to make it effectively impossible to find collisions without the aid of supercomputers. For example, the Secure Hash Algorithm 1 (SHA-1) was designed so that the probability of finding a collision was 2^-80. Even with a higher probability of 2^-69, it would still take a specialised supercomputer about a year to find a collision.
But using methods discovered by Wang, hackers could improve the probability of finding collisions with the MD5 hash to 2^-30. Researchers have found MD5 collisions in 15 minutes on a simple laptop computer using Wang's techniques.
Currently SHA-1 is more secure because the highest probability the researchers can achieve is 2^-69. Desmedt said "You need a big supercomputer to find collisions in SHA-1, but 2^-69 is not something that we can feel comfortable with."
Wang's seminars were part of a series at the UCL to complement its new MSc in information
Source: VNUNET (http://www.vnunet.com/itweek/news/2137376/hash-research-blow-security)
Hash algorithms are used by computers to compare data, and are a cornerstone of encryption and IT security systems. However, experts have warned that hackers now require only 15 minutes to create two email messages that produce the same digital signatures when checked by the most commonly used hash algorithms.
Professor Yvo Desmedt, BT professor of information security at University College London (UCL), said, "This means there is a need for a new SSL [Secure Sockets Layer encryption] standard. Hopefully we have a few years to design one [provided no further weaknesses are found by researchers]."
Hackers could use this technique to conduct bank frauds, warned Professor Xiaoyun Wang, of the school of maths and system science at Shandong University and the Centre for Advanced Study at Tsinghua University, Beijing.
Wang is one of the world's leading experts in the field of hash algorithms. Her seminars at the UCL last week described how her team had already found collisions in a number of them.
A collision is where two different sets of data produce the same result from a hash function. Collisions would cause software comparisons of those two datasets to report them as identical.
Hash functions are designed to make it effectively impossible to find collisions without the aid of supercomputers. For example, the Secure Hash Algorithm 1 (SHA-1) was designed so that the probability of finding a collision was 2^-80. Even with a higher probability of 2^-69, it would still take a specialised supercomputer about a year to find a collision.
But using methods discovered by Wang, hackers could improve the probability of finding collisions with the MD5 hash to 2^-30. Researchers have found MD5 collisions in 15 minutes on a simple laptop computer using Wang's techniques.
Currently SHA-1 is more secure because the highest probability the researchers can achieve is 2^-69. Desmedt said "You need a big supercomputer to find collisions in SHA-1, but 2^-69 is not something that we can feel comfortable with."
Wang's seminars were part of a series at the UCL to complement its new MSc in information
Source: VNUNET (http://www.vnunet.com/itweek/news/2137376/hash-research-blow-security)