On Wed, 16 Feb 2005, Josh Coates wrote:
> first off, i'm just like most engineers - we dont just blindly give
> credibility to "quoted experts" - we examine things ourselves, and right
> now, there is nothing to examine except a bunch of blogs.
I'll certainly grant you that. And if it was a claim about some new raytracer
that's ultra-efficient, I'd wait and see too. But crypto relies heavily and
directly on assumptions which are determined to be good risks only after years
of research. So when we saw a paper listing actual collisions of MD5 and a
bunch of other hashes, that was big news. A bunch of people said "hey, it's
just a collision, we already knew hash functions have collisions," but they
didn't realize that in a truly secure hash function, *we'll never ever see
even a single one*. And sure enough, people like Kaminsky are showing that
just knowing specific collisions can cause problems, *even without knowing how
to generate them*. Willing to bet your company that nobody but the
researchers knows how the attacks work?
So when the same group seems to have broken the only other widely used hash
function, as reported by several highly reputable sources, folks like Mike who
care whether their signatures get forged start looking for other solutions.
Like I said in my reply to Michael earlier, it undermines the decades of work
we've done making crypto something respectable to start putting post-it notes
on things: "Tripwire lets attackers swap out files they created for different
ones", "Digital signatures can be broken by anybody with 2^69 cycles, maybe a
lot less, let's just wait a few years and see". Sure, don't stop using
Tripwire and signatures entirely, but we need to swap out the hash function
right away.
I guess the problem is a cultural one -- as an engineer, you're used to things
coming and going over time. Companies used to take a relaxed approach to
security holes, treating them like other software bugs. Hopefully we've
learned now that attacks go from theoretical to default-part-of-the-rootkit
overnight. Crypto's no different. I need to be able to tell people that
their multimillion dollar transactions (or credit card numbers, or banking
information on the RSA-MD5 signed SSL websites) are safe because researchers
have done their best to ensure that not even somebody with 2^79 spare cycles
can undetectably monitor or modify their communications. We've solved 2^64
problems; 2^69 is only 32 times harder. That's for SHA1 (MD5 only takes an
hour + 15 minutes per additional pair on their supercomputer; a PC might not
take more than a month), it's already well within our ability to compute, and
the attacks are only going to get better.
So given that people get progressively less worried about security as they get
less technical, it's important that folks like Mike remind us not to use
broken crypto. If people hear confused stories about how we already know
hashes have collisions, and it's no big deal when algorithms are "only a
little broken", it sends the message that security is something they don't
have to think carefully about and which can be sloppy, and that sends them
right into the arms of the snake oil vendors.
It's a hard message to convey. Hard enough that my data security students
complained bitterly about being docked points for choosing really poor
passwords. But at least the people on the UUG list, who often make security
choices on behalf of lots of other people, should know and care enough not to
use broken primitives. Sure, don't shut off the internet pending a redesign,
but the engineers need to do some fixing quick. When crypto fails, it usually
fails undetectably.
-J
--------------------
BYU Unix Users Group
http://uug.byu.edu/
The opinions expressed in this message are the responsibility of their
author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG.
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
