BlogTower :: SHA-1 HASH Computer Security Compromised

Beltane Websites

Site Menu

BlogTower Forge - Edit/Post

Help Desk

Welcome

Welcome,

Blog Resources

Main Page » On Computers

Previous:	Wow, Spam has a Benefit
Next:	So You Think You Have Computer Problems?

SHA-1 HASH Computer Security Compromised

by Bryan Britt on Wed 16 Mar 2005 02:46 AM CST | Permanent Link

Now don't go getting upset or scared or go running around yelling "The sky is falling! The sky is falling!" The sky isn't falling. It's merely taken some major damage and the engineers are saying that it needs to be replaced before it does fall.

SHA-1 computer hash code has been broken by a team in China. A "hash" code takes a file, and encodes the document into a string of characters. If you think about when you were a kid, if you take a message and cut out every other character, then that would be a hash of the original message. When you read the message and compare the hash to it, if any of the characters are different, then you know you are not reading the original message.

SHA-1 is often used to encode passwords and secure communications. But don't worry, no one is going to be breaking into your grocery list or your dirty pictures anytime soon.

<<CAUTION: Superscripts Ahead>>

Here's what happened. SHA-1 takes any given file and reduces it to 160 characters. Since there are "only" 160 characters, then given a huge huge huge number of files then you can find two that have the exact same 160 character hash, called a "collision". To be precise you would need 2⁸⁰ files. That's 1.2 x 10²⁴ or a 1 followed by 24 zeros. Not likely to happen, but there is a chance.

The Chinese team basically found a shortcut. They were able to short circuit the math formulas and can now create the collision in 2⁶⁹ hashes instead of 2⁸⁰. This means that it is 2¹¹ times faster, about 2000 times faster to break. If the function would take 2000 years to break before, now it only takes a year.

No one is likely to put this in practice. You aren't going to see viruses or hackers out there reading your private communications. But it does give the NSA, CIA, and those other 3 letter "THEMS" a much better chance to read stuff.

There was a great article on Bruce Schneier's blog about all of this. Pretty technical, but very informative.

SHA-1 will be replaced with a larger hash code that will beef up security again for the next period of time. It, too, will eventually be broken, as will the one after that. Humans are just too wily to let anything sit out there unsolved. We have to solve it.

In all of my secure communications, I use and I have always recommended PGP encoding. Instead of a small 160 character result it comes up with much larger one. I don't want any THEMS reading my grocery list. If you need to send something over the internet, use PGP.

Posted to:

On Computers

Comments

Post a comment

No comments found.

Post comment:

Format Type:
	Convert newlines
	Receive comment notifications for this article
Subject:

Comment:

Comment verification:

Please enter the text you see inside the graphic to post your comment:

You are not currently logged in. If you would like your user information to be displayed with your comment, please enter your login information below.