WSJ: Crack in Computer Security Code Raises Red Flag

Crack in Computer Security Code Raises Red Flag

Obscure but Worrying Flaw Compromises 'Fingerprint' Widely Used on Internet

By CHARLES FORELLE
Staff Reporter of THE WALL STREET JOURNAL
March 15, 2005; Page A1

With worries about online security already at a high pitch, the discovery of a crack in a widely used Internet encryption technique has raised another red flag among government agencies and computer-code experts.

The technique, called a "hash function," has been used for years by Web-site operators to scramble online transmissions containing credit-card information, Social Security numbers and other sensitive data. Hash functions are at work, for instance, for most of the millions of transactions that take place on the Internet every day. The system, involving an algorithm, or mathematical formula, was thought to be impenetrable.

But last month, a team of researchers from Shandong University in eastern China began circulating a draft of a paper showing that a key hash function used in state-of-the-art encryption could be less resistant to an attack by hackers than had been thought.

(snip)

Cryptographers say exploiting the flaw for malevolent purposes doesn't seem practical, even using a lot of computer power. Hash functions are also often used in conjunction with other cryptographic techniques, which haven't shown any flaws. But if someone were to exploit the newfound flaw, the most immediate threat would be to applications involving "authentication." A hacker theoretically could set up a dummy Web site that appears to have the security credentials of a trusted, secure site -- and then steal data that is shipped to this site by unsuspecting users.

(snip)

Write to Charles Forelle at charles.forelle@wsj.com

URL for this article:
http://online.wsj.com/article/0,,SB111084838291579428,00.html (paid subscription)

...how this might impact all the wireless stuff that's hitting the streets these days.

==envisioning rampant "drive by" hacking==

And my toaster. I really needs my toaster.

:)

and your toaster starts spitting out lumps of charcoal...

IT WILL BE TOO LATE! Take precautions now!

:)

I do not think that Toby Keith could exist on the same hard drive as Corrosion of Conformity or Black Label Society.

is my microwave. ;) I can't live without it or the coffee maker.

The algorithm cracked was SHA1, and was done almost a month ago.

Here's a free article about it:
http://www.eetimes.com/showArticle.jhtml?articleID=60402150


For the non-technical, SHA1 is a big part of SSL, used to secure online communications (ie., 'https').


The good news is that you need a significant amount of computing power to crack SHA1. The bad news is that the amount of computing needed to crack it was significantly less than previously believed.

It's something NSA could easily do, but probably not so easily done by hackers in Russia.

Looks like we're going to need a new hashing algorithm, though.