FYI: I'net security problem found.

[mismused]

delete

 

[rgraham666]

Anything can be broken if people are willing to try hard enough. And they usually are.

I never send any sensitive information over the Net. Not because of hackers, but because usually it's nobody else's business but mine.

 

[Dar~]

speaking of sensitive information . . I am extremely ticklish!

 

[rgraham666]

Really? (Tickle, tickle tickle)

 

[DrFreud]

FYI without comment, from Compuserve ISP news.

=======================================================

Internet security takes a hit
Report says computer-code experts concerned after flaw discovered in popular encryption technique.
March 15, 2005: 9:13 AM EST

NEW YORK (CNN/Money) - The discovery of a crack in a commonly used Internet encryption technique raised concerns among government agencies and computer-code experts, according to a report by The Wall Street Journal.

"Our heads have been spun around," Jon Callas, chief technology officer at encryption supplier PGP Corp., told the newspaper.

The technique, called a "hash function," has been commonly used by Web site operators to scramble online transmissions containing credit-card information, Social Security numbers and other personal information.

Hash functions were thought to be impenetrable, but a team of researchers in China found that this encryption method was not as resistant to hackers than previously thought, according to the report.

The Chinese researchers "haven't caused panic yet," Avi Rubin, a computer-security expert at Johns Hopkins University, told the newspaper. But "it's definitely a wake-up call."

The discovery calls into question the credibility of the popular encryption method, despite what are believed to be remote chances of abuse.

The method, involving an algorithm, generates digital fingerprints, or "hashes," by performing an equation on a piece of information, switching the order of some bits, cutting down the result to a fixed length and resulting in a fingerprint.
===================================================

mismused

What is it exactly that you're worried about? The discovery made by the Chinese researchers makes SHA-1 breakable in 2^69 operations instead of 2^80.
This puts it just within bounds of agencies like the NSA but it is still very much impossible for the common human.

Geekily,
DrF

 

[cantdog]

"Thought to be unbreakable"-- thought by whom? Not anyone credible, surely.

Silly article. Thanks for the clarification, DrF.

 

[English Lady]

What is it exactly that you're worried about? The discovery made by the Chinese researchers makes SHA-1 breakable in 2^69 operations instead of 2^80.
This puts it just within bounds of agencies like the NSA but it is still very much impossible for the common human.

Geekily,
DrF

I do so like it when a man gets geeky on me

 

[snooper]

What is it exactly that you're worried about? The discovery made by the Chinese researchers makes SHA-1 breakable in 2^69 operations instead of 2^80.
This puts it just within bounds of agencies like the NSA but it is still very much impossible for the common human.

Geekily,
DrF

I think you have to rethink some of your parameters here, Dr.F. Anything within the NSA's capabilities is well within the capabilities of organised crime. Remember by turnover compared to GDP the Mafia is larger than the 23rd largest country in the world.

The weakness won't worry me directly, because I don't have enough money for them to want to steal it. Indirectly, if it is exploited by crime gangs it could lead to a breakdown of international banking as we know it. Before we have time to turn round it will be necessary to have some form of physical token for money, instead of plastic. Cheques will take days to clear, instead of being instantly clearable, and so the banks won't have your money to play with for days.

Why, in the extreme case, bankers and financial traders might have to accept lower annual bonuses!

 

[hydrex]

I saw screw em all, I have nothing to hide. Let the bastids come and get me if they dare.

 

[TheEarl]

I think you have to rethink some of your parameters here, Dr.F. Anything within the NSA's capabilities is well within the capabilities of organised crime. Remember by turnover compared to GDP the Mafia is larger than the 23rd largest country in the world.

The weakness won't worry me directly, because I don't have enough money for them to want to steal it. Indirectly, if it is exploited by crime gangs it could lead to a breakdown of international banking as we know it. Before we have time to turn round it will be necessary to have some form of physical token for money, instead of plastic. Cheques will take days to clear, instead of being instantly clearable, and so the banks won't have your money to play with for days.

Why, in the extreme case, bankers and financial traders might have to accept lower annual bonuses!

Snooper: I think the key word in Dr F's post was just. As in 'just within the limits of the NSA.' 2^69 is possible. It's feasible. But worth anyone's time and effort is the question. The 23rd largest country in the world couldn't afford to do it and even if the Mafia could, I doubt they'd want to. Large outlay for a minimal and unguaranteed input.

The Earl

 

[DrFreud]

I think you have to rethink some of your parameters here, Dr.F. Anything within the NSA's capabilities is well within the capabilities of organised crime. Remember by turnover compared to GDP the Mafia is larger than the 23rd largest country in the world.

Yes sorry for the blanket statement. I was just trying to make it clear that the so-called break does not mean that the common thug can crack SHA1.

To be even geekier, what worries me is that we have no ways of measuring the security of these "hash" functions. We still use MD5 a lot even though it had partial breaks. The recent discovery means that merely switching from MD5 to SHA1 doesn't solve the problem.

DrF

 

[snooper]

Snooper: ... Large outlay for a minimal and unguaranteed input.

Not quite. If the criminal cracks the MAC on SWIFT and inserts a message then however much money they choose to put in the message arrives at their bank account, and nobody has any money missing. They have actually created money by forging the bit patterns - much easier in many ways than forging banknotes.

Snooper: ... To be even geekier, what worries me is that we have no ways of measuring the security of these "hash" functions ...

Some we can measure, such as RSA, and others we cannot, such as DES. This is because RSA has a mathematical basis (the fact that it is very much easier to multiply two primes together than to factorise the result) whereas DES has no such basis.

However, even in RSA-type algorithms there are weak keys, which are easily broken, and new ways of factorising certain classes of large number are found from time to time.

It was during the furore over Lenstra that Tom Parker made the memorable suggestion "Maybe Fred [Piper] should set one of his PhD students to find the strongest possible key pair; then we could all use that one."