Vulnerable security algorithms raise concerns
- 02 November, 2005 14:00
Industry experts agree that the future of two widely used security algorithms is fated, but with no clear alternatives in sight products that rely on them may have to remain "good enough" for some time.
Secure Hash Algorithm-1, or SHA-1, and Message Digest 5, or MD5, were the topics of much discussion at the National Institute of Standards and Technology (NIST)'s Cryptographic Hash Workshop held Monday. Both are hash functions developed in the early 1990s that generate unique strings of values used most often for encrypting and decrypting digital signatures, and both have been exposed as vulnerable within the past year.
"SHA-1 is a wounded fish in shark-infested waters, but I'm more worried about MD5 because it's used everywhere," said Niels Ferguson, a cryptographer with Microsoft. "Try to switch away from SHA-1 as quickly as you can, but switch away from MD5 first," he said when asked what recommendations he has regarding the algorithms during a panel at the conference.
About a year ago, "collisions" with MD5 came to light. Collisions occur when two messages have the same hash value, which compromises the authentication of the messages. In February, similar findings were unveiled regarding SHA-1. In the latter case, the collision was not actually performed, but research scientists at a Chinese university highlighted SHA-1's vulnerability by describing how such an occurrence could be constructed.
Since actual collisions have been achieved with MD5, many presenters at the conference seemed to already dismiss the algorithm as compromised. Microsoft's Ferguson told the story of a man in Australia who was fighting a traffic violation in court and argued that the evidence against him was invalid because the traffic camera used MD5, which is considered a broken algorithm. The judge throw out the case, Ferguson said.
Much of the conference discussions focused on potential fixes or replacements for SHA-1, but one presenter warned that new hash functions wouldn't emerge for quite a while. "SHA-1 needs to be replaced, but that replacement isn't known yet, and it's going to take years to develop," said Steven Bellovin, a professor at Columbia University.
In the meantime, debate continues over whether SHA-1 should still be used at all. Participants of the recommendations panel during the conference agreed that users should not include SHA-1 in any new projects, but that continued use of existing products may be unavoidable. As members of the audience pointed out, hardware and software will need to be updated with new or enhanced algorithms to replace SHA-1, and that's timely and expensive. And users need to be convinced to migrate to products that use new algorithms, which can take years to achieve.
"It's practical to continue to use SHA-1, but be very aware and do a lot of planning for the next algorithm," recommended James Randall, manager of cryptographic algorithms and standards at RSA Security. Panel members suggested buying products that can work with a number of different algorithms.