The end of Sha-1 near?

Prickaerts

Administrator
Jan 2, 2006
765
0
#1
Hi Group,

Last weekend some brilliant mathematicians have demonstrated that collisions in Sha-1 are plausible (or how nuanced would you like me to say it :wink:
heise-security.co.uk/news/77244

"Cryptographic experts at the Crypto 2006 conference have demonstrated a modified method of attack against a reduced variant of the SHA-1 hash algorithm."

"Although the demonstration was restricted to the reduced SHA-1 variant in 64 steps, it can, according to the experts, also be generalised to the standard 80 step variant. This means that SHA-1 must also be considered as cracked in principle."
 

ddow

New Member
Jul 18, 2006
1,380
0
#2
This is the work of Dr. Xiaoyun Wang, Hongbo Yu of Shandong China, and Yiqun Lisa Yin residing in the US. About a year ago Dr. Wang and her team announced this crack against SHA1 and earlier against MD4 and MD5 using similar techniques. They are of great excitement among cryptographers.

It's of minimal interest to forensic examiners. Using the easy case of cracking MD4 took a massive system the equivalent of 80,000 years of computing on a home system to generate an identical hash value on what's termed a "pre-image". The message with the identical hash was gibberish. Since the purpose of a hash in a forensic examination is to demonstrate that we didn't alter any files. The hash still does that. To counter a claim that we intentionally replace one file with another of the same hash one only needs to point to the impossibility of that. It is simply impossible for an investigator to substitute one file with another and then alter the substitute file so the hashes match.

Chain of custody and following proper procedures really make this news irrelevant. For additional information, google for wang schneier china and you'll get Bruce Schneier's discussion pretty easy.
 

Prickaerts

Administrator
Jan 2, 2006
765
0
#3
Hi DDOW,

I would be a little bit more cautious. They said the same for MD5, but currently it is already possible to generate two different filesets with the same MD5 hash in seconds...

See paper at eprint.iacr.org/2006/105 (add http : / / for full link)

And I agree that it does not mean at this time that you could insert a file into a disk image and produce the same hash value. However, we prefer to stay ahead of the moment it is done, so we use SHA-256 (as is also suggested by NIST and NSA).

Cheers,
 

ddow

New Member
Jul 18, 2006
1,380
0
#4
Absolutely we should use the strongest hashes possible. Most of us will have to wait for the vendors to catch up on that one. Additionally, I'd recommend taking two different hashes if strong hashes aren't supported (MD5 and SHA1 for example). No one in the crypto community is suggesting a technique for simultaneously generating two hashes.

I'll look at Klima's paper that you suggested but I'm not going to lose any sleep over it yet.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu