Crack in Computer Security Code Raises Red Flag
Obscure but Worrying Flaw Compromises 'Fingerprint' Widely Used on Internet
By CHARLES FORELLE
Staff Reporter of THE WALL STREET JOURNAL
March 15, 2005; Page A1
With worries about online security already at a high pitch, the discovery of a crack in a widely used Internet encryption technique has raised another red flag among government agencies and computer-code experts.
The technique, called a "hash function," has been used for years by Web-site operators to scramble online transmissions containing credit-card information, Social Security numbers and other sensitive data. Hash functions are at work, for instance, for most of the millions of transactions that take place on the Internet every day. The system, involving an algorithm, or mathematical formula, was thought to be impenetrable.
But last month, a team of researchers from Shandong University in eastern China began circulating a draft of a paper showing that a key hash function used in state-of-the-art encryption could be less resistant to an attack by hackers than had been thought.
(snip)
Cryptographers say exploiting the flaw for malevolent purposes doesn't seem practical, even using a lot of computer power. Hash functions are also often used in conjunction with other cryptographic techniques, which haven't shown any flaws. But if someone were to exploit the newfound flaw, the most immediate threat would be to applications involving "authentication." A hacker theoretically could set up a dummy Web site that appears to have the security credentials of a trusted, secure site -- and then steal data that is shipped to this site by unsuspecting users.
(snip)
Write to Charles Forelle at charles.forelle@wsj.com
URL for this article:
http://online.wsj.com/article/0,,SB111084838291579428,00.html (paid subscription)