« Previous 1 2
SHA-3 – The new hash standard
Die Hard
Conclusions
You are unlikely to encounter security problems with SHA-1 today, but the experience with MD5 teaches us that migration from vulnerable algorithms can take a long time. Despite the fact that security issues had been known since 1996, it was not until the Flame virus successfully attacked the MD5 signatures of the Windows Update Service in 2012 – 16 years later – that many authorities began to address the problem.
Initial collisions are likely to be reported for SHA-1 in the next few years. However, the type of collision is important for the success of an attack: The problems with MD5 did not become relevant until attackers succeeded in creating meaningful data, such as certificates, with a collision. But, it did not take long for the problems with MD5 to become evident, and the attacks soon became more serious.
Infos
- SHA-3 competition by NIST: http://csrc.nist.gov/groups/ST/hash/sha-3/
- Keccak algorithm: http://keccak.noekeon.org/
- All proposals in the SHA-3 competition: http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo
- Bruce Schneier's blog entry: http://www.schneier.com/blog/archives/2012/09/sha-3_will_be_a.html
- Talk at 25C3 about spoofed MD5 signatures: http://media.ccc.de/browse/congress/2008/25c3-3023-en-making_the_theoretical_possible.html
- Analysis of the MD5 collision in the Flame virus: http://www.research.leiden.edu/news/cryptanalyst.html
« Previous 1 2