Take this with a grain of salt. SHA and MD5 are not broken. The
article is VERY LIGHT ON DETAILS! This is likely an attack to
increase the ability to force a collision. This is a useful attack
in some circumstances... some. Does this mean passwords stored with
SHA-1 hashes are suddenly vulnerable? Nope! You'd still need a
brute force attack to break a well designed password system that used
salted hashes, whether its SHA-1 or MD-5. I do recommend new systems
implement SHA-256 or greater for password hashing. If your system
uses MD5 or SHA-1 I wouldn't bother changing it any time soon.
Simply put by being able to force a collision -- two docs have the
same hash -- you'd gain the advantage of being able to replace one
document with another without changing the hash of the document,
hence the problems with digital signatures. But can you replace one
useful document with another document, useful to the attacker,
without changing the context? Maybe... maybe not.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or
that we are to stand by the president right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the American
public."
-- Theodore Roosevelt
On Jan 22, 2007, at 4:33 PM, John Mason wrote:
These things are always going to happen (just give it enought
time), but a research team in China finally cracked SHA-1.
http://it.slashdot.org/article.pl?sid=07/01/20/1936257&from=rss
John
[EMAIL PROTECTED]
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------