SHA-1 broken - impact on SuSE linux versions
Hi list, i would like to discuss this with you: This [1] arcticle shows that SHA-1 is broken and details will be "fully disclosured" [2] soon. What impact does is have for our SuSE linux installations. Where is it used by default in standard packages and where by default in packages to install additionally via Yast. I found it exempli gratia in SSH for integrity checks (seems not critical) or in gpg for fingerprints. The polarizer polarizers at its best http://www.glass-polarizers.com [1]http://www.schneier.com/blog/archives/2005/02/sha1_broken.html [2]http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0303.html
On Wed, Feb 16, 2005 at 09:31:42AM +0100, Polarizer wrote:
Hi list, i would like to discuss this with you:
This [1] arcticle shows that SHA-1 is broken and details will be "fully disclosured" [2] soon.
What impact does is have for our SuSE linux installations. Where is it used by default in standard packages and where by default in packages to install additionally via Yast.
I found it exempli gratia in SSH for integrity checks (seems not critical) or in gpg for fingerprints.
The polarizer
polarizers at its best http://www.glass-polarizers.com
[1]http://www.schneier.com/blog/archives/2005/02/sha1_broken.html [2]http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0303.html
We are not that mathematically inclined to evaluate that without looking at the paper... We are eagerly awaiting Bruces and other crypto experts evaluations. Ciao, Marcus
What impact does is have for our SuSE linux installations. Where is it used by default in standard packages and where by default in packages to install additionally via Yast.
We are not that mathematically inclined to evaluate that without looking at the paper...
We are eagerly awaiting Bruces and other crypto experts evaluations.
Ciao, Marcus
Sorry Marcus, this was not what i asked for at all. I wouldn't like to discuss the mathematical aspects, but the consequences of the statement <quote>SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing</quote> [1]. Broken is broken, isn't it? SHA-1 is used by several of the software packages provided with suse linuxes. Any sentences on this very issue from suse or any other here on the list. The polarizer polarizers at its best http://www.glass-polarizers.com [1] http://www.schneier.com/blog/
On Wed, Feb 16, 2005 at 01:31:49PM +0100, Polarizer wrote:
What impact does is have for our SuSE linux installations. Where is it used by default in standard packages and where by default in packages to install additionally via Yast.
We are not that mathematically inclined to evaluate that without looking at the paper...
We are eagerly awaiting Bruces and other crypto experts evaluations.
Ciao, Marcus
Sorry Marcus, this was not what i asked for at all. I wouldn't like to discuss the mathematical aspects, but the consequences of the statement
<quote>SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing</quote> [1].
Broken is broken, isn't it?
SHA-1 is used by several of the software packages provided with suse linuxes. Any sentences on this very issue from suse or any other here on the list.
"The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team." As for SUSE, we are now aware of this problem and will see what is affected and discuss how to handle it. Ciao, Marcus
As for SUSE, we are now aware of this problem and will see what is affected and discuss how to handle it.
Ciao, Marcus
Thank you. Didn't expect anything other. Since SHA-1 is used to sign each and everything we can('t :O>) await upcoming problems and algorithm migrations. The polarizer polarizers at its best http://www.glass-polarizers.com
Polarizer wrote:
What impact does is have for our SuSE linux installations. Where is it used by default in standard packages and where by default in packages to install additionally via Yast.
We are not that mathematically inclined to evaluate that without looking at the paper...
We are eagerly awaiting Bruces and other crypto experts evaluations.
Ciao, Marcus
Sorry Marcus, this was not what i asked for at all. I wouldn't like to discuss the mathematical aspects, but the consequences of the statement
<quote>SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing</quote> [1].
You need to focus on the whole post by Bruce, which includes: "The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team. More details when I have them." -- Until later, Geoffrey
On Wed, 16 Feb 2005, Polarizer wrote:
We are not that mathematically inclined to evaluate that without looking at the paper...
something as important as this would be published in a refereed journal not just on someone's site. Bruce may in fact have sent in such a paper to a journal or a conference and is waiting for publication prior to releasing details. If someone has a citation to some journal or conference proceeedings I have access to most of them through the university, send along the citation and I'll take a look I'm not a crypto expert but I'm able to follow the analysis . . > >
We are eagerly awaiting Bruces and other crypto experts evaluations.
See above about journals.
Ciao, Marcus
Sorry Marcus, this was not what i asked for at all. I wouldn't like to discuss the mathematical aspects, but the consequences of the statement
<quote>SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing</quote> [1].
Broken is broken, isn't it?
No. So far you have a statement with no support. You will find websites that claim AES is broken. To my knowledge, this is false: none have submitted a proof to a refereed journal or conference.
No. So far you have a statement with no support. You will find websites that claim AES is broken. To my knowledge, this is false: none have submitted a proof to a refereed journal or conference.
Indeed. I remember a third year "number theory and cryptography" class at university (1993/4) when the lecturer got suddenly really excited because some chap had said he'd developed a proof of Fermat's last theorum. He did point out that people would be checking it thoroughly to see how rigid a proof it was, and until then he'd wait and see. I think this falls into the same category. It'd be a good thing to look at the potential problems should the Chinese team have mnaged to break SHA1, but let's not panic yet. Tom. -- Tom Knight System Administration Officer Arts & Humanities Data Service Web: http://www.ahds.ac.uk Email: tom.knight@ahds.ac.uk
Ok I now have read Bruce's blog on the subject. The paper in question is from a group of Chinese researchers and as yet is unpublished; they have, as is customary, been circulating drafts and/or preprints privately. The group in question is reportedly an established and respected cryptanalyst team. What is reported is that there is a collision attack. The one-line summary is alarmist. It is a very, very difficult attack requiring 2**69 operations. The claim of "broken" is because a brute-force attack on SHA-1 requires 2**80 operations. Its a question of what are you protecting? Nuclear weapon launch codes never used SHA-1 to begin with, they use at least AES-256 and the codes are changed regularly. Same for other such information. I don't believe anyone encrypts sensitive compartmentalized information with SHA-1 in the first place. On our practical level, SHA-1 is fine for digital signature of SuSE RPM for at least another couple of years. I would say it is also still acceptable for credit card information for another year since credit cards expire within 3 years. On Wed, 16 Feb 2005, Polarizer wrote:
What impact does is have for our SuSE linux installations. Where is it used by default in standard packages and where by default in packages to install additionally via Yast.
We are not that mathematically inclined to evaluate that without looking at the paper...
We are eagerly awaiting Bruces and other crypto experts evaluations.
Ciao, Marcus
Sorry Marcus, this was not what i asked for at all. I wouldn't like to discuss the mathematical aspects, but the consequences of the statement
<quote>SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing</quote> [1].
Broken is broken, isn't it?
SHA-1 is used by several of the software packages provided with suse linuxes. Any sentences on this very issue from suse or any other here on the list.
The polarizer
polarizers at its best http://www.glass-polarizers.com
[1] http://www.schneier.com/blog/
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Polarizer wrote on Wed, 16 Feb 2005 13:31:49 +0100:
Broken is broken
It's not broken. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
On Sunday 20 February 2005 11:37, Kai Schaetzl wrote:
Polarizer wrote on Wed, 16 Feb 2005 13:31:49 +0100:
Broken is broken
It's not broken.
It IS broken, because the effort of finding a collision now is below the effort of using brute force, 2^64 vs 2^80. The same applies to a cipher, if the effort to find a key is below brute force it is broken, it's that simple. How feasible a real world attack is, is something different, but for a cryptographer SHA-1 is broken. Malte
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Malte Gell schrieb: | On Sunday 20 February 2005 11:37, Kai Schaetzl wrote: | |> Polarizer wrote on Wed, 16 Feb 2005 13:31:49 +0100: |> |>> Broken is broken |> |> It's not broken. | | | It IS broken, because the effort of finding a collision now is | below the effort of using brute force, 2^64 vs 2^80. The same | applies to a cipher, if the effort to find a key is below brute | force it is broken, it's that simple. How feasible a real world | attack is, is something different, but for a cryptographer SHA-1 is | broken. | | Malte O.K. a 2^64 key ist more insecure than a 2^80 long key, but try to break it. The next step is to find the collision. If you got any mathematical knowledge or some courses in encryption you would know that this is not that easy. The issue is a mathematical instability in the sha1 logithm. Normally I use md5. SHA1 is normally used for fileintegrety (afaik with ssh), so may mr. evil could hack a signed package and use this technique to break the integrity of a signed file. O.K. this is security related, but it still takes a strong efford to break keys. Next thing is sha1 is a hashing algorith and no encryption algorithm. What does this mean? A calculation aof the content of a file is made and gets extracted to a file with a content of a bytes compareable to adding digits of a number. A second application of hashing is passwordencryption. You don't get the password, if you hack a shadow-file, you get the hash-value of a password. This is not the same than the password for itself. This doesn't mean you are not safe anymore. But it is not more that hard to get the sha1-value (2^64 = 1'844'674'074'000'000'000). A next comparison would be key-lenght vs. encryption algorith (e.g.: twofish or blowfish is not that secure than md5). There you see some algorithms are more fast or slower and the faster are more insecure than the slower ones. I think mostly high secure applications should be concerned about that. Reguards Philippe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQhkE1kNg1DRVIGjBAQKeRgb+MlaiXIiK2S+lcHI1TIU0hxleUJuiAEo5 NA/ZSyOUJ9iBzLwbhvLMDvpkIC1u3iOVo4xNfYMgwHWh5RgXpEtIXajtFhD3wDvs CcBtVmUhWA6xYZYsb/n+Q6qsrYWE8m0QIeviB6yhhqcNeQDBR8J99gwZuU1sgRVI wF76CdwaaKtXKjlpuS3HfyV0rVOOfTod4lRCdvXs/MFOpTyPo3hZKtpG30FJuTTO OfxlSWtik0tL8afBxbcAb1bcWBmJtUj14e3MReZpTFj+P05lk+CJ6yQKQSoYLj+q ZP/JMC6mFA0= =6RAG -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philippe Vogel schrieb: | Malte Gell schrieb: | | | On Sunday 20 February 2005 11:37, Kai Schaetzl wrote: | |> | Polarizer wrote on Wed, 16 Feb 2005 13:31:49 +0100: |> |>> Broken | is broken |> |> It's not broken. | | | It IS broken, because the | effort of finding a collision now is | below the effort of using | brute force, 2^64 vs 2^80. The same | applies to a cipher, if the | effort to find a key is below brute | force it is broken, it's that | simple. How feasible a real world | attack is, is something | different, but for a cryptographer SHA-1 is | broken. | | Malte | | O.K. a 2^64 key ist more insecure than a 2^80 long key, but try to | break it. The next step is to find the collision. If you got any | mathematical knowledge or some courses in encryption you would know | that this is not that easy. The issue is a mathematical | instability in the sha1 logithm. Normally I use md5. | | SHA1 is normally used for fileintegrety (afaik with ssh), so may | mr. evil could hack a signed package and use this technique to | break the integrity of a signed file. | | O.K. this is security related, but it still takes a strong efford | to break keys. Next thing is sha1 is a hashing algorith and no | encryption algorithm. What does this mean? A calculation aof the | content of a file is made and gets extracted to a file with a | content of a bytes compareable to adding digits of a number. | | A second application of hashing is passwordencryption. You don't | get the password, if you hack a shadow-file, you get the hash-value | of a password. This is not the same than the password for itself. | | This doesn't mean you are not safe anymore. But it is not more that | hard to get the sha1-value (2^64 = 1'844'674'074'000'000'000). A | next comparison would be key-lenght vs. encryption algorith (e.g.: | twofish or blowfish is not that secure than md5). There you see | some algorithms are more fast or slower and the faster are more | insecure than the slower ones. | | I think mostly high secure applications should be concerned about | that. | | Reguards | | Philippe Oh and I forgot PGP works with SHA1 for mail signing ;) Maybe this is for your privaty purpose to solve this issue if you sign your mails for the guarantee the mail came from you :( I hope everybody gave his key a password [...] :-X Philippe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQhkGkkNg1DRVIGjBAQJ8WQb/aKVyd6pywhzeEP8mvP4SAbYJcQgPtIUq AEpyIJKV1jT4e6H8VuZcm/MwgVfjnlFdPbrnJevXdllSK1nscN2XCE4g8JSSPTVY qJuvpcoVJTZpa6k+3Nf+WTyfTeQSCc3tND4lVg55sKSqpkB0wYe/cSxQeNC2fWWB 7032IbsRV3ZZal1IQLzbcsDCRO/9/FR62Zgf3yvOLXBa3y3GZV41ZsR2STB+jkQQ bDTfDmfs4biifp75VcvF7jG+VXBeceO4ceLVnZ2VlLTFnNm81TrZ+1EPfhYKLAb1 L5zpJVxlj84= =fzTd -----END PGP SIGNATURE-----
A second application of hashing is passwordencryption. You don't get the password, if you hack a shadow-file, you get the hash-value of a password. This is not the same than the password for itself.
This doesn't mean you are not safe anymore. But it is not more that hard to get the sha1-value (2^64 = 1'844'674'074'000'000'000). A next comparison would be key-lenght vs. encryption algorith (e.g.: twofish or blowfish is not that secure than md5). There you see some algorithms are more fast or slower and the faster are more insecure than the slower ones.
I think mostly high secure applications should be concerned about that.
Reguards
Philippe
1. If you have the collision for a password hash you don't need the real password anymore, cause the collision will give you access as well. 2. The collision issue is only really relevant for password encryption, for the above reason. You won't be able to create a meaningfull collision, just SOME collision. 3. Compared to the risk of people creating and owning 100 GB rainbow tables of all SHA-1 hashes from 1-10 chars and offering password cracks online via web interface, the risk of one of those new found SHA-1 collisions threatening your security is negligable. 4. If your information is worth attacking, it may be worth protecting. But, is it really? I know that I have nothing in my possession that may make someone bruteforce 2^69 SHA-1 hashes to get to it. You may have something... but not everyone does. Ralf
On Monday 21 February 2005 00:18, SkyFlash wrote:
[...] Agreed to that.
4. If your information is worth attacking, it may be worth protecting. But, is it really? I know that I have nothing in my possession that may make someone bruteforce 2^69 SHA-1 hashes to get to it. You may have something... but not everyone does.
This is true but at the same time a very dangerous argument. The problem is if an algorithm has such a severe weakness that cuts off that much from its strength we really have no clue if this attack can't be expanded much more. When the Chinese scientists release more information about their attack maybe someone else might be able to shrink SHA-1 to 2^50 or even 2^40, you just can't know but it certainly wouldn't surprise us much. The problem is not that SHA-1 is now at 2^69, the problem is that SHA-1 has not the security we thought it had and we have no clue to what degree this attack might be extended, this boils down the remaining security of SHA-1 to be just luck nothing more. SHA-1 is just gone. Malte
Malte Gell wrote on Sun, 20 Feb 2005 22:00:21 +0100:
How feasible a real world attack is, is something different, but for a cryptographer SHA-1 is broken.
Ok, I see what you mean. But we *are* talking about the real world impact here and there's no difference to a week ago. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
On Monday 21 February 2005 02:31, Kai Schaetzl wrote:
Malte Gell wrote on Sun, 20 Feb 2005 22:00:21 +0100:
How feasible a real world attack is, is something different, but for a cryptographer SHA-1 is broken.
Ok, I see what you mean. But we *are* talking about the real world impact here and there's no difference to a week ago.
Well, I agree for most users it will make no difference _for now_, but, look what Schneier says about the chance and cost to build a machine able to produce collisions, he estimates it takes $25M - $38M to produce SHA-1 collisions in 56 hours. Yes, _hours_ not months or years. As you said, for most users SHA-1 is just fine, but the time to start to move for something new is right now. http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html Regards Malte
On Wed, Feb 16, 2005 at 09:31:42AM +0100, Polarizer wrote:
What impact does is have for our SuSE linux installations. Where is it used by default in standard packages and where by default in packages to install additionally via Yast.
I found it exempli gratia in SSH for integrity checks (seems not critical) or in gpg for fingerprints.
From [1]: : It pretty much puts a bullet into SHA-1 as a hash function for digital : signatures (although it doesn't affect applications such as HMAC where : collisions aren't important).
So it doesn't look that bad for most uses (although certificates a a very critical use). Ciao Joerg -- Joerg Mayer <jmayer@loplof.de> We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology.
participants (10)
-
Dana Hudes -
Geoffrey -
Joerg Mayer -
Kai Schaetzl -
Malte Gell -
Marcus Meissner -
Philippe Vogel -
Polarizer -
SkyFlash -
Thomas Knight