MD5 and SHA-1 are not used to ensure Confidentiality, but to
check Integrity. So it's not appropriate to use them to secure
the confidentiality of passwords or credit card numbers or the
like. They are routinely used with plaintext versions of the
hashed data.
The two cases where they are useful are to demonstrate
cryptographically:
(a) that THIS group of bits is the same as THAT group of bits
e.g., this image that I've done my forensic analysis on
is an exact copy of the contents of the hard drive
in the defendant's computer
(b) that THIS message was "signed" by someone who had access to
the private key which corresponds to the public key that
THAT certificate authority asserts belongs to THAT entity
e.g., this message is really from Alice, because somebody
used her private key (which only she should have) to
encrypt a *correct hash* of the message
The breakage is that the correspondences are no longer certain
to be unique; this drive image might be of a different drive, this
digital signature might have been copied from a different message.
Solutions are basically two:
1. There are new stronger SHA versions available.
2. It will be a while before anyone can reliably break *both*
hashes with the same data bits. So, for instance, forensic
examiners can start using both MD5 and SHA-1 together to
establish fidelity of images.
David Gillett
-----Original Message-----
From: Enquiries [mailto:enquiries@globalart4u.com]
Sent: Tuesday, December 20, 2005 10:37 AM
To: Security-Basics (E-mail)
Subject: sha-1 cryptography
Dear All
I understand that SHa-1 cryptography has been broken by the
same person who broke MD5, xiaoyun Wang. So what does that
mean for password security and credit card transactions etc.
Does that mean we will need to look for other stronger
cryptography solutions and if yes what do you recommend,
especially for passwords?
thanks
Tallat
www.macklamm.com - moving to brussels? looking for accommodation?
www.globalart4u.com - art and crafts - give the gift of
originality www.macklamm.org - latest list of vat exempt gold
coins for investment now available
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/207 - Release
Date: 19/12/05
--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec
management education and the case study affords you unmatched
consulting experience.
Tailor your education to your own professional goals with
degree customizations including Emergency Management,
Business Continuity Planning, Computer Emergency Response
Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
--------------
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------
