|
|
|
|
| |
|
|
Headline
News: The
Failure
of SSL and
its underlying
SHA-1 algorithm |
|
|
|
|
|
|
|
|
Headline
News:
SSL
and its SHA-1 algorithm
is compromised
SHA-1
is the technical underpinning
of Secure Sockets Layer
(SSL), a private-key
technology used to send
secure information over
the Internet. In addition,
a handful of microchip
makers — including Atmel,
Infineon, National Semiconductor
and STMicroelectronics
— use SHA-1 as the basis
for their Trusted Platform
Modules developed by
the Trusted Computing
Group to provide a hardware
root of trust in PCs
and other devices. Hardware
tokens are also typically
built on the OATH (Open
Authentication) standard,
a 160-bit protocol that
uses SHA-1 at its core.
In
February of2005, three
Chinese mathematicians
announced that they
had cracked (reverse
engineered) the SHA-1
hashing algorithm. This
announcement has caused
considerable consternation
among security experts
owing to the fact that
SHA-1 is used in SSL
certificates, tokens,
trusted platforms, etc.
It is now possible to
break, on a mathematic
level, the security
encryption of SSL equipped
websites and most hardware-based
tokens.
As a
result of this failure
of SHA-1, the National
Institute of Standards
and Technology (NIST)
has announced plans
to abandon SHA-1 and
is calling for all regulatory
agencies and hardware
vendors to migrate to
the new SHA-256 hashing
algorithm, which is
used by PhishCops®,
by 2010. For
a side-by-side comparison
of hardware tokens and
PhishCops™,
click here.
Here
is just a sampling of
what experts are now
now saying regarding
the SHA-1 algorithm
and SSL.
|
|
|
|
U.S.
mulls new digital-signature
standard
C-Net
News
A team of Chinese
scientists shocked the
data security world
this year by announcing
a flaw in a widely used
technique used to create
and verify digital signatures
in e-mail and on the
Web…
|
|
|
|
Microsoft
Scraps Old Encryption
in New Code
eWeek.com
Microsoft
is banning certain cryptographic
functions from new computer
code, citing increasingly
sophisticated attacks
that make them less
secure, according to
a company executive….
the SHA1 encryption
algorithm is becoming
"creaky at the
edges," said Michael
Howard, senior security
program manager at the
company… The algorithms
are used to create digital
signatures and check
the integrity of information…
Microsoft is recommending
using the Secure Hash
Algorithm (SHA)256…instead.
|
|
|
|
Crypto
world in panic as SHA-1
broken
Techworld.com
The
SHA-1 (secure hash algorithm)
authentication scheme
that underpins digital
signatures used in SSL
browser security and
PGP encryption is reported
to have been broken….
|
|
|
|
Vulnerable
security algorithms
raise concerns
NetworkWorld.com
said
Niels Ferguson, a cryptographer
with Microsoft. "Try
to switch away from
SHA-1 as quickly as
you can…
|
|
|
|
SHA1
Cryptographic Hash Update
SystemExperts Corporation
By
far, the services that
are most vulnerable
to the recent attacks
are digital signatures
and related document
authenticity signatures…
A
loud and clear call
has gone out to the
network protocol and
information exchange
standards bodies developing/modifying
standards that can accommodate
new hash functions as
soon as possible…. the
SHA256 standard is currently
resisting known SHA1
attacks….
|
|
|
|
New
optimized SHA-1 attack
Virus.org
SHA-1
is broken, it should
be replaced with the
newer SHA hashes…
|
|
|
|
Authentication
technology bites the
dust
Techworld.com
Virtually all application
and server software
that incorporates SHA-1
into its functions,
including Web browsers,
e-mail clients, instant
messaging programs,
secure shell clients,
and file and disk encryption
software, will need
to be replaced or upgraded….
experts are urging software
companies to integrate
SHA-256 into applications
that currently use SHA-1…
|
|
|
|
How
long does it take to
crack SSL?
Marktaw.com
(blog)
That's 1 SSL
connection cracked every
7 minutes…
|
|
|
|
|
|
