A widely used method to secure online transactions and
financial data using 160-bit encryption can be broken 2,000 times
faster than previously thought.
Security researchers at Shandong University in China reported last
week that the SHA-1 encryption method can be cracked in days. It
was previously thought the code would take decades to break.
This revelation will mean security managers will need to
re-evaluate their companies' underlying encryption software.
SHA-1 is a means of scrambling information by creating a string of
160 characters - a hash - which adds a unique fingerprint to a
message. This unique identifier makes the code effectively
unbreakable.
Richard Brain, technical director at security consultancy
Procheckup, said SHA-1 was deployed in nearly every secure
electronic transaction, including single socket layer (SSL) for
websites and SSH for encoding secure telnets and e-mails, and in
some instances for validating ATM transactions.
The researchers found that SHA-1 is not "collision-free", meaning
it is possible for code crackers to find two messages with the same
hash value and use them to crack the code quickly.
Even so, the researchers said it would take a powerful
supercomputer to achieve this. But by extrapolating Moore's Law,
which predicts that computing power will double every 18 months, at
some point in the future this level of computational power would be
readily available.
Cryptography expert Bruce Schneier, chief technology officer at
Counterpane Internet Security, said, "This attack builds on
previous attacks on SHA-0 and SHA-1, and is a major, major
cryptanalytic result. It pretty much puts a bullet into SHA-1 as a
hash function for digital signatures.
"It is time for us all to migrate away from SHA-1," he added, but
said, "Jon Callas, [security firm] PGP's CTO, put it best, 'It is
time to walk, but not run, to the fire exits. You do not see smoke,
but the fire alarms have gone off'."
Security firm RSA recommended firms use applications based on a
newer hash function, SHA-256, rather than SHA-1. Burt Kaliski,
chief scientist at RSA Laboratories, said, "The results certainly
underscore the importance of designing systems with a flexible
rather than a fixed choice of algorithm."
David Lacey, director, information security at Royal Mail Group,
said, there is "no need to panic.If this is correct, then the
algorithm is weaker but still fit for purpose."
ID cards are a waste, says Schneier >>