Just last week, VB Editor Martijn Grooten
addressed an audience
at the RSA Conference in San Francisco on the topic of cryptographic protocols that have supposedly been broken in recent years, including the SHA-1 hash function which is considered all but broken.
Back in 2004, the entire crypto community was abuzz with the astonishing news that a group of Chinese researchers had demonstrated a hash collision in the widely used MD5 hash function.
In October 2004,
VB
‘s Technical Editor, Morton Swimmer, and his colleague Jonathan Poritz took a closer look at the situation, providing a background to the use of hash functions, the breaking of MD4 and the downfall of MD5, and considering what lessons could be drawn from the incident.
Interestingly, they did suggest that “applications like SSL may […] be secure enough” against collision attacks, because creating a fake but valid certificate is many times more complicated than creating a collision. A fake SSL certificate was successfully created during the
Chaos Communication Congress
in 2008 and in 2012 it was found that the
Flame malware
had used this to fake
Microsoft
‘s digital signature.
The full ‘Hash Woes’ report can be read
here
in HTML format or downloaded
here
as a PDF.
Leave a Reply