Friday, March 25, 2005

About a month ago, a unique cryptanalysis of SHA-1 exposed a vulnerability in the algorithm that allows for a non-brute-force crack of a SHA-1 signature. The best description of the approach that I have found is Bruce Schneier's post: Schneier on Security: Cryptanalysis of SHA-1.

I wanted to include a quote from Bruce's post that describes the effect that this new technique will have on our everyday life (as technology professionals):

For the average Internet user, this news is not a cause for panic. No one is going to be breaking digital signatures or reading encrypted messages anytime soon. The electronic world is no less secure after these announcements than it was before.
But there's an old saying inside the NSA: "Attacks always get better; they never get worse." Just as this week's attack builds on other papers describing attacks against simplified versions of SHA-1, SHA-0, MD4, and MD5, other researchers will build on this result. The attack against SHA-1 will continue to improve, as others read about it and develop faster tricks, optimizations, etc. And Moore's Law will continue to march forward, making even the existing attack faster and more affordable.

As for my perspective, I just believe that this highlights the need to continue funding cryptographic research on both ends of the spectrum: creating algorithms and breaking them. It should also serve as a reminder to application architects and developers to keep our application logic seperate from the particulars of the cryptographic algorithms being used to sign / verify or encrypt / decrypt data in our applications. Our products need to be able to switch selected algorithms with as little effort as possible. While this may not have to be a runtime change, it should at least be as minimal a code change as possible.