Now that SHA-1 is cracked...

  • Thread starter Thread starter George Spiro
  • Start date Start date
G

George Spiro

Hi,

Now that SHA-1 is cracked I am wondering how is MS dealing with this? I am
wondering how do I create a new SSL certificate with SHA-256 or 512. Cant
seem to create one for IIS.

G.
 
In
SHA-1 Is not "Cracked"

Read before you panic and spread FUD.

Matt Gibson - GSEC
Click to expand...

From Google:

SHA-1 cracked!:
http://www.techspot.com/story17011.html

Perhaps the OP has been reading the news?

Galen
--

"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes
 
in the said:
From Google:

SHA-1 cracked!:
http://www.techspot.com/story17011.html

Perhaps the OP has been reading the news?
Click to expand...

Irresponsible journalism at its worst, and you obviously don't know enough about cryptography
to understand the issues here. SHA-1 has not been cracked, the researchers have simply
determined that rather than finding collisions in 2*80 they can find them with 2*69. While
that is 2048 times easier to find a collision, SHA-1 has not been cracked at all. I'd suggest
that rather than reading the news you spend some time researching cryptography.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
 
In
Paul Adare said:
Irresponsible journalism at its worst, and you obviously don't know
enough about cryptography to understand the issues here. SHA-1 has
not been cracked, the researchers have simply determined that rather
than finding collisions in 2*80 they can find them with 2*69. While
that is 2048 times easier to find a collision, SHA-1 has not been
cracked at all. I'd suggest that rather than reading the news you
spend some time researching cryptography.
Click to expand...

How snide... At what point did I say that I knew anything about
cryptography??? I think, if you look at my post, all I did was point to
where the OP had gotten the information. I made no comment of the veracity
of the post, the news, nor of Matt's statement. In fact, having read a great
deal of Matt's posts in the past I tend to trust what he says. My post was
only referring to the origin of the OP's post.

Galen
--

"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes
 
microsoft.public.windows.server.security news group, Galen
How snide... At what point did I say that I knew anything about
cryptography??? I think, if you look at my post, all I did was point to
where the OP had gotten the information. I made no comment of the veracity
of the post, the news, nor of Matt's statement. In fact, having read a great
deal of Matt's posts in the past I tend to trust what he says. My post was
only referring to the origin of the OP's post.
Click to expand...

My apologies. I meant to follow up to the OP and not to your post. Had
the wrong one selected when I posted.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
 
In
My apologies. I meant to follow up to the OP and not to your post. Had
the wrong one selected when I posted.
Click to expand...

Certainly and happily accepted and understood. Your statement were correct
as it's not "cracked" just shows that there's a vulnerability that COULD (in
theory) be exploited eventually with the computers of today if I'm reading
properly. The concept is theory and the papers have not been examined by the
general community. I hope, for the 'net's sake, that if the papers are
released that they are incorrect. I do believe in full disclosure under some
circumstances, this is not one of them. I enjoy the comfort of shopping
online a bit too much and often spend a great deal of money online. My post,
I too should apologize, should have been more clear as it was in support of
Matt's statement. It was my thought at the time that people might click on
the link and read, from there they'd hopefully find out that theoretically
there's a vulnerability and that there's nothing to be concerned about at
this time and that the OP was indeed spreading FUD originally generated by
an over-eager sky-is-falling media.

In response, in theory, there's a potential vulnerability in everything you
do online or off but in an effort to not wax philosophical I'll leave it at
that. The only secure transaction is one that you make in person with cash
and even then you might be getting ripped off. The only secure computer is
one that isn't capable of being turned on. Everything else has a potential
risk be it obscure or minimal there is always a risk. With one of my
favorite quotes I will leave this... I'm not sure if it's attributable to
anyone specifically. "Security is not an application, it's a process." If
anyone knows who that should be attributed to please feel free to drop the
name off (and hopefully some sort of evidence that it was that person) in a
later post as this has been a nagging thought.

Galen

--

"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes
 
Galen,

There's a few things that should be said on all these "SHA-1 is cracked"
sites that rarely is.

A) No one has seen this paper that claims to have found a collision in SHA-1
in less than brute force attempts. It has not been released to the public,
so no memebers of the crypto community have had a chance to review it.

B) In the 2-3 page abstract from this paper, they state that their collision
was found with out the padding needed by SHA-1. So this may not be of any
real world use, as all (that I know of) SHA-1 implementations use padding
(as they're supposed to), and this attack may not work against padded
implementations.

C) Say the paper is right, and they can now break SHA-1 in ~2^53 attempts.
What does this mean to most people? Nothing. With these attacks, you
cannot just get "I will give you 1 million dollars" to "I will give you 10
million dollars". You'd have a better chance of getting "09sdfkj3uih3wi8"
to hash to the same value.

This is a prime example of how the media (and the uninformed tech community)
spreads FUD.

Matt Gibson - GSEC
 
In
Matt Gibson said:
There's a few things that should be said on all these "SHA-1 is
cracked" sites that rarely is.
Click to expand...

Having read (indeed you're flagged an ugly magenta color by default with
OE -- sorry about that but I was running out of choices) a number of your
posts in the past I've found that I have never been able to find one flaw in
a single post you've sent unless it was a typo and in that case I probably
didn't even notice that. I have even read your papers about securing SMS
2000, I thought that it was well written and informative by the way. My
statement, just so you're aware, was just to show why the OP might have
thought that this was "reliable information." People, I think this is more
true of Western culture, tend to believe the news which, more often than
not, is biased in an effort to get a reaction, more readers/watchers, and
greater status.

What's more, in these "news sites," they should mention the vast amount of
computing power and time that it would take to accomplish this task even if
it's true. I use in this message the term "news" lightly and I hope that
you'll allow me to do so as I don't tend to think of blogs as a reliable
news medium nor do I follow much in the way of corporate sponsored news.

Mayhaps I should have put a "*chuckle*" behind the post about the OP reading
the news so that you were aware that I was agreeing with you and not
claiming the news was valid. Alas, I did not. I place these type of posts on
par with the people who post "I heard that MSN was going to shut down MSN
Messenger tomorrow at 9:00 AM if I didn't post this message to 100 people.
Is this true?" (Usually posted in all caps with a vague topic and a real
email address. Not to worry, they'll be back in three days asking about a
virus and in ten asking about all the spam they're receiving.)

Anyhow, there's no hope in changing the media and even smaller hope in
halting the number of questions which we'll receive about vague forms of
possible security threats. The best thing I can think of to tell people is
that the lines drawn for security are based on the person themselves and
what they want to get from the internet. If it's so valuable to them that
they're truly willing to risk the danger then it's something they should
do -- provided they've made an informed choice and are aware of the risks
before making the decision.

Galen
--

"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes
 
in message : In : Matt Gibson <[email protected]> had this to say:
:
: "I heard that MSN was going to shut down MSN
: Messenger tomorrow at 9:00 AM if I didn't post this message to 100 people.
: Is this true?"

Is this true? Looking forward to 9am!! *bing bing bing*

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382
 
Sorry Galen!

After reading through the thread with a little more care, I noticed your
post farther down explaining all that!

Many thanks for the words of praise...hopefully I'll live up to your
expectations ;)

It'll be intresting to see what the paper actually has to offer. I have a
feeling we'll see a lot of hasty retractions after it comes out.

If anyone's at all worried about the recent problems with MD5, SHA-0 and (it
would seem) SHA-1, all they need to do is use more than one hashing
function. I'd like to see someone come up with a collision in more than one
(non-related) hash algo at once.

Matt Gibson - GSEC
 
Matt Gibson wrote:
C) Say the paper is right, and they can now break SHA-1 in ~2^53 attempts.
What does this mean to most people? Nothing. With these attacks, you
cannot just get "I will give you 1 million dollars" to "I will give you 10
million dollars". You'd have a better chance of getting "09sdfkj3uih3wi8"
to hash to the same value.
Click to expand...

Certainly true--this alleged vulnerability has no measurable effect on
signed messages. However and unfortunately, some applications use
SHA-1 as a more basic building block of their security. The most
common example, of course, is storing the hash of a password in an
accessible xml file, and authenticating the user if a hash of his input
matches the hash in the xml file. Assuming that the Chinese can do
everything they claim, and that the padding problem can likewise be
overcome, these collisions surely reduce the security of such
applications by the advertised amount.
 
Agreed.

Matt Gibson - GSEC

Matt Gibson wrote:


Certainly true--this alleged vulnerability has no measurable effect on
signed messages. However and unfortunately, some applications use
SHA-1 as a more basic building block of their security. The most
common example, of course, is storing the hash of a password in an
accessible xml file, and authenticating the user if a hash of his input
matches the hash in the xml file. Assuming that the Chinese can do
everything they claim, and that the padding problem can likewise be
overcome, these collisions surely reduce the security of such
applications by the advertised amount.
Click to expand...
 
Now that SHA-1 is cracked I am wondering how is MS dealing with this? I am
wondering how do I create a new SSL certificate with SHA-256 or 512. Cant
seem to create one for IIS.
Click to expand...

Nice troll. Your answer is "you can't".

Jeff
 
Back
Top