| Author |
Message |
George Spiro
Guest
|
 Posted:
Tue Feb 22, 2005 1:34 am Post subject:
Now that SHA-1 is cracked... |
|
|
Hi,
Now that SHA-1 is cracked I am wondering how is MS dealing with this? I am
wondering how do I create a new SSL certificate with SHA-256 or 512. Cant
seem to create one for IIS.
G. |
|
| Back to top |
|
 |
Matt Gibson
Guest
|
| Posted:
Tue Feb 22, 2005 2:02 am Post subject:
Re: Now that SHA-1 is cracked... |
|
|
SHA-1 Is not "Cracked"
Read before you panic and spread FUD.
Matt Gibson - GSEC
"George Spiro" <spam@spam.com> wrote in message
news:uDjYcxEGFHA.348@TK2MSFTNGP09.phx.gbl...
| Quote: | Hi,
Now that SHA-1 is cracked I am wondering how is MS dealing with this? I am
wondering how do I create a new SSL certificate with SHA-256 or 512. Cant
seem to create one for IIS.
G.
|
|
|
| Back to top |
|
|
Galen
Guest
|
| Posted:
Tue Feb 22, 2005 5:50 am Post subject:
Re: Now that SHA-1 is cracked... |
|
|
In news:u5NlDBFGFHA.1084@tk2msftngp13.phx.gbl,
Matt Gibson <mattg@blueedgetech.ca> had this to say:
| Quote: | SHA-1 Is not "Cracked"
Read before you panic and spread FUD.
Matt Gibson - GSEC
|
From Google:
SHA-1 cracked!:
http://www.techspot.com/story17011.html
Perhaps the OP has been reading the news?
Galen
--
"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes |
|
| Back to top |
|
|
Galen
Guest
|
| Posted:
Tue Feb 22, 2005 6:48 am Post subject:
Re: Now that SHA-1 is cracked... |
|
|
In news:eO5MzTJGFHA.3492@TK2MSFTNGP12.phx.gbl,
Matt Gibson <mattg@blueedgetech.ca> had this to say:
| Quote: | There's a few things that should be said on all these "SHA-1 is
cracked" sites that rarely is.
|
Having read (indeed you're flagged an ugly magenta color by default with
OE -- sorry about that but I was running out of choices) a number of your
posts in the past I've found that I have never been able to find one flaw in
a single post you've sent unless it was a typo and in that case I probably
didn't even notice that. I have even read your papers about securing SMS
2000, I thought that it was well written and informative by the way. My
statement, just so you're aware, was just to show why the OP might have
thought that this was "reliable information." People, I think this is more
true of Western culture, tend to believe the news which, more often than
not, is biased in an effort to get a reaction, more readers/watchers, and
greater status.
What's more, in these "news sites," they should mention the vast amount of
computing power and time that it would take to accomplish this task even if
it's true. I use in this message the term "news" lightly and I hope that
you'll allow me to do so as I don't tend to think of blogs as a reliable
news medium nor do I follow much in the way of corporate sponsored news.
Mayhaps I should have put a "*chuckle*" behind the post about the OP reading
the news so that you were aware that I was agreeing with you and not
claiming the news was valid. Alas, I did not. I place these type of posts on
par with the people who post "I heard that MSN was going to shut down MSN
Messenger tomorrow at 9:00 AM if I didn't post this message to 100 people.
Is this true?" (Usually posted in all caps with a vague topic and a real
email address. Not to worry, they'll be back in three days asking about a
virus and in ten asking about all the spam they're receiving.)
Anyhow, there's no hope in changing the media and even smaller hope in
halting the number of questions which we'll receive about vague forms of
possible security threats. The best thing I can think of to tell people is
that the lines drawn for security are based on the person themselves and
what they want to get from the internet. If it's so valuable to them that
they're truly willing to risk the danger then it's something they should
do -- provided they've made an informed choice and are aware of the risks
before making the decision.
Galen
--
"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes |
|
| Back to top |
|
|
Roland Hall
Guest
|
|
| Back to top |
|
|
Matt Gibson
Guest
|
| Posted:
Tue Feb 22, 2005 6:48 am Post subject:
Re: Now that SHA-1 is cracked... |
|
|
Sorry Galen!
After reading through the thread with a little more care, I noticed your
post farther down explaining all that!
Many thanks for the words of praise...hopefully I'll live up to your
expectations ;)
It'll be intresting to see what the paper actually has to offer. I have a
feeling we'll see a lot of hasty retractions after it comes out.
If anyone's at all worried about the recent problems with MD5, SHA-0 and (it
would seem) SHA-1, all they need to do is use more than one hashing
function. I'd like to see someone come up with a collision in more than one
(non-related) hash algo at once.
Matt Gibson - GSEC
"Galen" <galennews@gmail.com> wrote in message
news:%23XtOLwJGFHA.3732@tk2msftngp13.phx.gbl...
| Quote: | In news:eO5MzTJGFHA.3492@TK2MSFTNGP12.phx.gbl,
Matt Gibson <mattg@blueedgetech.ca> had this to say:
There's a few things that should be said on all these "SHA-1 is
cracked" sites that rarely is.
Having read (indeed you're flagged an ugly magenta color by default with
OE -- sorry about that but I was running out of choices) a number of your
posts in the past I've found that I have never been able to find one flaw
in
a single post you've sent unless it was a typo and in that case I probably
didn't even notice that. I have even read your papers about securing SMS
2000, I thought that it was well written and informative by the way. My
statement, just so you're aware, was just to show why the OP might have
thought that this was "reliable information." People, I think this is more
true of Western culture, tend to believe the news which, more often than
not, is biased in an effort to get a reaction, more readers/watchers, and
greater status.
What's more, in these "news sites," they should mention the vast amount of
computing power and time that it would take to accomplish this task even
if
it's true. I use in this message the term "news" lightly and I hope that
you'll allow me to do so as I don't tend to think of blogs as a reliable
news medium nor do I follow much in the way of corporate sponsored news.
Mayhaps I should have put a "*chuckle*" behind the post about the OP
reading
the news so that you were aware that I was agreeing with you and not
claiming the news was valid. Alas, I did not. I place these type of posts
on
par with the people who post "I heard that MSN was going to shut down MSN
Messenger tomorrow at 9:00 AM if I didn't post this message to 100 people.
Is this true?" (Usually posted in all caps with a vague topic and a real
email address. Not to worry, they'll be back in three days asking about a
virus and in ten asking about all the spam they're receiving.)
Anyhow, there's no hope in changing the media and even smaller hope in
halting the number of questions which we'll receive about vague forms of
possible security threats. The best thing I can think of to tell people is
that the lines drawn for security are based on the person themselves and
what they want to get from the internet. If it's so valuable to them that
they're truly willing to risk the danger then it's something they should
do -- provided they've made an informed choice and are aware of the risks
before making the decision.
Galen
--
"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes
|
|
|
| Back to top |
|
|
Paul Adare
Guest
|
| Posted:
Tue Feb 22, 2005 6:48 am Post subject:
Re: Now that SHA-1 is cracked... |
|
|
In article <e4RayUHGFHA.560@TK2MSFTNGP15.phx.gbl>, in the
microsoft.public.windows.server.security news group, Galen <galennews@gmail.com> says...
Irresponsible journalism at its worst, and you obviously don't know enough about cryptography
to understand the issues here. SHA-1 has not been cracked, the researchers have simply
determined that rather than finding collisions in 2*80 they can find them with 2*69. While
that is 2048 times easier to find a collision, SHA-1 has not been cracked at all. I'd suggest
that rather than reading the news you spend some time researching cryptography.
--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871) |
|
| Back to top |
|
|
Galen
Guest
|
| Posted:
Tue Feb 22, 2005 6:48 am Post subject:
Re: Now that SHA-1 is cracked... |
|
|
In news:MPG.1c846b0c84d65075989ba8@msnews.microsoft.com,
Paul Adare <padare@newsguy.com> had this to say:
| Quote: | My apologies. I meant to follow up to the OP and not to your post. Had
the wrong one selected when I posted.
|
Certainly and happily accepted and understood. Your statement were correct
as it's not "cracked" just shows that there's a vulnerability that COULD (in
theory) be exploited eventually with the computers of today if I'm reading
properly. The concept is theory and the papers have not been examined by the
general community. I hope, for the 'net's sake, that if the papers are
released that they are incorrect. I do believe in full disclosure under some
circumstances, this is not one of them. I enjoy the comfort of shopping
online a bit too much and often spend a great deal of money online. My post,
I too should apologize, should have been more clear as it was in support of
Matt's statement. It was my thought at the time that people might click on
the link and read, from there they'd hopefully find out that theoretically
there's a vulnerability and that there's nothing to be concerned about at
this time and that the OP was indeed spreading FUD originally generated by
an over-eager sky-is-falling media.
In response, in theory, there's a potential vulnerability in everything you
do online or off but in an effort to not wax philosophical I'll leave it at
that. The only secure transaction is one that you make in person with cash
and even then you might be getting ripped off. The only secure computer is
one that isn't capable of being turned on. Everything else has a potential
risk be it obscure or minimal there is always a risk. With one of my
favorite quotes I will leave this... I'm not sure if it's attributable to
anyone specifically. "Security is not an application, it's a process." If
anyone knows who that should be attributed to please feel free to drop the
name off (and hopefully some sort of evidence that it was that person) in a
later post as this has been a nagging thought.
Galen
--
"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes |
|
| Back to top |
|
|
Paul Adare
Guest
|
| Posted:
Tue Feb 22, 2005 6:48 am Post subject:
Re: Now that SHA-1 is cracked... |
|
|
In article <O1nK6JIGFHA.3648@TK2MSFTNGP09.phx.gbl>, in the
microsoft.public.windows.server.security news group, Galen
<galennews@gmail.com> says...
| Quote: | How snide... At what point did I say that I knew anything about
cryptography??? I think, if you look at my post, all I did was point to
where the OP had gotten the information. I made no comment of the veracity
of the post, the news, nor of Matt's statement. In fact, having read a great
deal of Matt's posts in the past I tend to trust what he says. My post was
only referring to the origin of the OP's post.
|
My apologies. I meant to follow up to the OP and not to your post. Had
the wrong one selected when I posted.
--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871) |
|
| Back to top |
|
|
Galen
Guest
|
| Posted:
Tue Feb 22, 2005 6:48 am Post subject:
Re: Now that SHA-1 is cracked... |
|
|
In news:MPG.1c8456109ec808b8989ba7@msnews.microsoft.com,
Paul Adare <padare@newsguy.com> had this to say:
| Quote: | Irresponsible journalism at its worst, and you obviously don't know
enough about cryptography to understand the issues here. SHA-1 has
not been cracked, the researchers have simply determined that rather
than finding collisions in 2*80 they can find them with 2*69. While
that is 2048 times easier to find a collision, SHA-1 has not been
cracked at all. I'd suggest that rather than reading the news you
spend some time researching cryptography.
|
How snide... At what point did I say that I knew anything about
cryptography??? I think, if you look at my post, all I did was point to
where the OP had gotten the information. I made no comment of the veracity
of the post, the news, nor of Matt's statement. In fact, having read a great
deal of Matt's posts in the past I tend to trust what he says. My post was
only referring to the origin of the OP's post.
Galen
--
"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes |
|
| Back to top |
|
|
Matt Gibson
Guest
|
| Posted:
Tue Feb 22, 2005 6:48 am Post subject:
Re: Now that SHA-1 is cracked... |
|
|
Galen,
There's a few things that should be said on all these "SHA-1 is cracked"
sites that rarely is.
A) No one has seen this paper that claims to have found a collision in SHA-1
in less than brute force attempts. It has not been released to the public,
so no memebers of the crypto community have had a chance to review it.
B) In the 2-3 page abstract from this paper, they state that their collision
was found with out the padding needed by SHA-1. So this may not be of any
real world use, as all (that I know of) SHA-1 implementations use padding
(as they're supposed to), and this attack may not work against padded
implementations.
C) Say the paper is right, and they can now break SHA-1 in ~2^53 attempts.
What does this mean to most people? Nothing. With these attacks, you
cannot just get "I will give you 1 million dollars" to "I will give you 10
million dollars". You'd have a better chance of getting "09sdfkj3uih3wi8"
to hash to the same value.
This is a prime example of how the media (and the uninformed tech community)
spreads FUD.
Matt Gibson - GSEC
"Galen" <galennews@gmail.com> wrote in message
news:e4RayUHGFHA.560@TK2MSFTNGP15.phx.gbl...
| Quote: | In news:u5NlDBFGFHA.1084@tk2msftngp13.phx.gbl,
Matt Gibson <mattg@blueedgetech.ca> had this to say:
SHA-1 Is not "Cracked"
Read before you panic and spread FUD.
Matt Gibson - GSEC
From Google:
SHA-1 cracked!:
http://www.techspot.com/story17011.html
Perhaps the OP has been reading the news?
Galen
--
"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes
|
|
|
| Back to top |
|
|
Guest
|
| Posted:
Tue Feb 22, 2005 8:59 pm Post subject:
Re: Now that SHA-1 is cracked... |
|
|
Matt Gibson wrote:
<snip A and B>
| Quote: | C) Say the paper is right, and they can now break SHA-1 in ~2^53
attempts.
What does this mean to most people? Nothing. With these attacks,
you
cannot just get "I will give you 1 million dollars" to "I will give
you 10
million dollars". You'd have a better chance of getting
"09sdfkj3uih3wi8"
to hash to the same value.
|
Certainly true--this alleged vulnerability has no measurable effect on
signed messages. However and unfortunately, some applications use
SHA-1 as a more basic building block of their security. The most
common example, of course, is storing the hash of a password in an
accessible xml file, and authenticating the user if a hash of his input
matches the hash in the xml file. Assuming that the Chinese can do
everything they claim, and that the padding problem can likewise be
overcome, these collisions surely reduce the security of such
applications by the advertised amount. |
|
| Back to top |
|
|
Matt Gibson
Guest
|
| Posted:
Tue Feb 22, 2005 11:56 pm Post subject:
Re: Now that SHA-1 is cracked... |
|
|
Agreed.
Matt Gibson - GSEC
<thurberk@cscsw.com> wrote in message
news:1109084384.464291.145630@c13g2000cwb.googlegroups.com...
| Quote: | Matt Gibson wrote:
snip A and B
C) Say the paper is right, and they can now break SHA-1 in ~2^53
attempts.
What does this mean to most people? Nothing. With these attacks,
you
cannot just get "I will give you 1 million dollars" to "I will give
you 10
million dollars". You'd have a better chance of getting
"09sdfkj3uih3wi8"
to hash to the same value.
Certainly true--this alleged vulnerability has no measurable effect on
signed messages. However and unfortunately, some applications use
SHA-1 as a more basic building block of their security. The most
common example, of course, is storing the hash of a password in an
accessible xml file, and authenticating the user if a hash of his input
matches the hash in the xml file. Assuming that the Chinese can do
everything they claim, and that the padding problem can likewise be
overcome, these collisions surely reduce the security of such
applications by the advertised amount.
|
|
|
| Back to top |
|
|
Jeff Cochran
Guest
|
| Posted:
Thu Feb 24, 2005 6:48 am Post subject:
Re: Now that SHA-1 is cracked... |
|
|
On Mon, 21 Feb 2005 14:34:15 -0500, "George Spiro" <spam@spam.com>
wrote:
| Quote: | Now that SHA-1 is cracked I am wondering how is MS dealing with this? I am
wondering how do I create a new SSL certificate with SHA-256 or 512. Cant
seem to create one for IIS.
|
Nice troll. Your answer is "you can't".
Jeff |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in