When you say "broken" do you mean a "Pre-image" attack or a
"Collision" attack. The distinction is very critical when using a
hashing algorithm in cryptography.
See definition of each type attack below:
http://en.wikipedia.org/wiki/Collision_attack
http://en.wikipedia.org/wiki/Pre-image_attack
From your post I think you are refering to "Collision" attack.
Collision attacks are possible but it is very very complex to mount a
"USEFUL" attack using Collision.
For e.g. Pre-image attack is required for tempering with arbitrary
(given) piece of code from a legitimate vendor that has been Digitally
Signed. A collision attack on code-signing will work only if the
attacker is writing both the innocuous and the malicious programs. In
that case why would you trust even a innocuous program from an
attacker (known mal-ware developer) ????
For simple hashing of passwd I think SHA-1 is still more than enough.
I understand that SHa-1 cryptography has been broken by the same person who
broke MD5, xiaoyun Wang. So what does that mean for password security and
credit card transactions etc. Does that mean we will need to look for other
stronger cryptography solutions and if yes what do you recommend, especially
for passwords?
--
Saqib Ali, CISSP
http://www.xml-dev.com/blog/
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------
