 |  |  |
 |
Important security cornerstone brokenAlthough not formally confirmed yet, knowledgeable sources indicate that an important security cornerstone was broken, namely the secure hash SHA1. This news was posted by Bruce Schneier who is a well-respected cryptographer. There are alternatives to SHA1 that perform the same function (namely secure hashing) but many applications today use SHA1 at their heart. These applications must now be re-coded. Note that the root certificates of OpenFortress also use these hashes in their self-signature, and to sign lower level certificates. Although the RSA private keys in these certificates are not threatened by this problem, the root certificates are now less secure. There is no need for short-term panic though. To actually challenge a digital signature such as the signature in a certificate, it is necessary to find another certificate with the same hash value, and that is quadratically as hard as what is explained in the linked news item. The only thing that is now really challenged is any signature or other hash-based calculation that applies SHA1 to (partially) user-provided information. Read the cryptographic details on the crypto weblog if you need more information. Posted on Wed, 16 Feb 2005, 09:08. |
spin-off |  |