• From: Gothenburg, Sweden
  • Registered: 2002-07-03
  • Posts: 946

Topic: "SHA-0 Broken, MD5 Rumored Broken"

I read this article on slashdot that SHA-0 is broken, and MD5 is rumored to be broken. This article show's more data about it. It took them 80'000 PCU hours to find it.

Some info:

[url=http://www.freedom-to-tinker.com/archives/000661.html wrote:

Freedom to Tinker[/url]]A cryptographic hashfunction (CHF) is a mathematical operation which, roughly speaking, takes a pile of data and computes a fixed size "digest" of that data. To be cryptographically sound, a CHF should have two main properties. (1) Given a digest, it must be essentially impossible to figure out what data generated that digest. (2) It must be essentially impossible to find find a "collision", that is, to find two different data values that have the same digest.

Isn't it quite obvious that there are alot of text that share the same hash, and that it just is a matter of time to find two text's that have the same one? All hashes has colitions, it's unavoidable...

2 Reply by zc923

  • zc923
  • Senior Member
  • Offline
  • From: -5 GMT
  • Registered: 2003-12-15
  • Posts: 446

Re: "SHA-0 Broken, MD5 Rumored Broken"

It cryptogrophy, the way to start is with most commonly used letters. The hash that represents the letter E will be first to go, then, in a sequential order, the rest of the letters will follow.

Do, or do not.

3 Reply by Frank H (edited by Frank H 2004-08-17 13:16)

  • Frank H
  • Former PunBB Developer
  • Offline
  • Registered: 2003-03-16
  • Posts: 1,423

Re: "SHA-0 Broken, MD5 Rumored Broken"

Well ... considering they seem to have used 'brute force' ... sure, it's possible to find two alike ... but seriously ... 80000 hours is about 10 years ... so I'm not that scared (even if someone has a super duper computer it'll still take a while)... Switch password once a month and they need luck big_smile

I can write a short program that calculate a shitload of hashes, and then put them all into a database, and then compare them to each other ... sooner or later one will find two that has the same hash ... as there are only that many combinations possible in a fixed lenght hash (like MD5's 32 char)

Edit: and there's a reason why I haven't e in my password ... crap now I gave the bruteforcers a hint ...
but ... now I know they know that I know they know...and so on wink

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: "SHA-0 Broken, MD5 Rumored Broken"

What it means is that they may have found one or more collisions (two pieces of source data that result in the same digest), nothing else. We don't need to worry just yet :)

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

5 Reply by zc923

  • zc923
  • Senior Member
  • Offline
  • From: -5 GMT
  • Registered: 2003-12-15
  • Posts: 446

Re: "SHA-0 Broken, MD5 Rumored Broken"

Well, the point of this was not to be used in an malicious means. History has shown us that the seemingly "impossible" to do stuff lulls us into a false sence of security. Maybe it is time that for a change in the crypto world.

Do, or do not.
  • Frank H
  • Former PunBB Developer
  • Offline
  • Registered: 2003-03-16
  • Posts: 1,423

Re: "SHA-0 Broken, MD5 Rumored Broken"

Well, different cryptos usually have a statistic 'age'... before one is advised to change key/value ...

Some might have a week of lifetime, other a month and so on ... and xor, well that's so insecure, that it's more like if you have a 5yo you dont' want to see some stuff on the computer wink

But, the age thing is based on statistics, how long one can estimate it will take for someone to have a chance to break it, and then add some safety. So it's still possible to be lucky and still fix the correct key on the first few tries. The chanses aren't that great, they're probably very small, but it's still there, so no cryptos can be considered as 100% secure.

The person that thinks cryptos is impossible to break, need to rethink, defenetly ... but IMHO I don't feel the 'crypto world' needs to change, those I have been in contact that actually have a clue about it, usually knows about the security issues ... it's more people that haven't a clue what crypto is that thinks it's impossible to break ...

Today there are alot of 'secure' cryptos, that people have improved and tried to 'break'... in the interest of security ... and ... as we all know, the US has a max bit allowed for cryptos... so with the computers NSA and similar possess cryptos can still be a bugger to break, the big bit cryptos isn't exactly adored overe there wink

7 Reply by zc923

  • zc923
  • Senior Member
  • Offline
  • From: -5 GMT
  • Registered: 2003-12-15
  • Posts: 446

Re: "SHA-0 Broken, MD5 Rumored Broken"

I think back to a time where Windows 98 passwords were considered "unbreakable". Six months later, someone developed a way to break the LM Hashes in about 3 years. Refining on that code, we can now break it within 3 seconds using a the processing power of a TI-83 caculator. The LM Hashes were the biggest flaws in that system.

Improvement only comes once the need arrises. If the fact that SHA-0 and/or MD5 were unbreakable, we would stick to them. The realization that this is indeed false gives us a reason to go back to the drawing board and come up with something intirley new. What if we get rid of hashes, move into uncharted territory, unregulated territory.

In a way, I'm glad that they have been broken.

Do, or do not.
  • From: India
  • Registered: 2004-06-03
  • Posts: 435

Re: "SHA-0 Broken, MD5 Rumored Broken"

We cannot say that "it is stable" everything will change as the time goes...
If not today, someday it may happen.
we we should not worry about what is going to happen..
just we can say till now we are safe... smile
always hoping for the best.

God wisely designed the human body so that we can neither pat our own backs nor kick ourselves too easily