According to the Epoch Times, in five years, the U.S. government will cease to use SHA-1 (Secure Hash Algorithm) and convert to a new and more advanced “hash” algorithm, according to the article “Security Cracked!” from New Scientist.
The reason for this change is that associate professor Wang Xiaoyun of Beijing’s Tsinghua University and Shandong University of Technology, and her associates, have already cracked SHA-1. This marks the fifth straight encryption method that Xiaoyun’s team has broken (SHA-1, MD5, HAVAL-128, MD4, and RIPEMD).
What does this mean for the rest of us?
Well, MD5 and SHA-1 are the two most extensively used hash algorithms in the world. These two main algorithms currently underpin many digital signature and other security schemes in use throughout the international community.
They are widely used in banking, securities, and e-commerce. In fact, SHA-1 has been recognized as the cornerstone for modern Internet security.
For example, whenever you login to your online bank account, or make a purchase from Amazon.com they tell you not to worry because “This transaction is protected by Secure Socket Layer Encryption”; well, guess what… That’s an SHA-1 encrypted session.
And if your company has set you up with a laptop and a VPN connection back to the corporate LAN, guess what? Yep, that’s an IPsec connection powered by SHA-1.
According to Bruce Schneier, who warned that this was coming 2 years ago:
For the average Internet user, this news is not a cause for panic. No one is going to be breaking digital signatures or reading encrypted messages anytime soon. The electronic world is no less secure after these announcements than it was before.
But there’s an old saying inside the NSA: “Attacks always get better; they never get worse.” Just as this week’s attack builds on other papers describing attacks against simplified versions of SHA-1, SHA-0, MD4, and MD5, other researchers will build on this result. The attack against SHA-1 will continue to improve, as others read about it and develop faster tricks, optimizations, etc. And Moore’s Law will continue to march forward, making even the existing attack faster and more affordable.
Jon Callas, PGP’s CTO, put it best: “It’s time to walk, but not run, to the fire exits. You don’t see smoke, but the fire alarms have gone off.”
All of this demonstrates why I keep repeatedly commenting on the lack of defense in depth at our financial institutions.
If banks and investment firms would implement an additional layer of protection beyond the simple password or challenge Q&A and move to something such as Secure ID tokens, it wouldn’t matter nearly as much if a password was compromised because without the correct random code to go along with it a hacker would still be out of luck.
Here is a great little video to explain what I’m talking about.
Thanks, great post