Capt_Caveman |
02-18-2005 10:50 PM |
There have actually been several recent advances in breaking various cryptographic hashing algorithms in the last few months, with md5 and now sha1 being cracked. However it's very important to understand the context in which these algorithms have been 'broken'. For both md5 and sha1 researchers have devised techniques for finding collisions significantly more often than should be allowed by chance alone. Using these techniques you can find 2 files that have identical cryptographic checksums or digital signatures. However this still requires significant resources. Anecdotally (I have yet to actually read the sha1 paper), this will reduce the number of operations to 10^29 which is a significant failure in cryptographic terms, but in practical terms this still an enormous amount. Some of the estimates I've seen stating that a standard PC running for 1,000 years might identify a collision with this technique.
There are some areas such as legal fields and 3-letter gov't agencies where this may have profound effects, for example files digitally signed with md5 or SHA1 can no longer be considered to be 100% valid, as someone could generate a faked file with an identical hash. But for Joe linux user depending on sha or md5 passwd hashes, this is not a serious issue. Though I wouldn't be shocked to see everyone moving to new encryption algorithms in the near future.
|