• Welcome to Valhalla Legends Archive.
 

SHA1 Broken

Started by dxoigmn, February 15, 2005, 08:46 PM

Previous topic - Next topic

dxoigmn

SHA1 has been broken according to this blog (Bruce Schneier)?  Looks interesting although there are little details other than a recent paper on a collision which this attacks supposedly builds upon.  Found this blog post on Raymond Chen's blog where I also saw, of all people, Skywing.

quasi-modo

#1
uh oh. If I were storing any sensative data sha-1 woulda been my choice... guess it is still tougher than md5 though.
WAR EAGLE!
Quote(00:04:08) zdv17: yeah i quit doing that stuff cause it jacked up the power bill too much
(00:04:19) nick is a turtle: Right now im not paying the power bill though
(00:04:33) nick is a turtle: if i had to pay the electric bill
(00:04:47) nick is a turtle: id hibernate when i go to class
(00:04:57) nick is a turtle: or at least when i go to sleep
(00:08:50) zdv17: hibernating in class is cool.. esp. when you leave a drool puddle

iago

Quote from: quasi-modo on February 15, 2005, 08:50 PM
uh oh. If I were storing any sensative data sha-1 woulda been my choice... guess it is still tougher than md5 though.

I'd worry if anybody stored sensitive data in sha-1, considering that one of the characteristics of sha-1 is that you can't convert it back to the original :P
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Mephisto

Ah, you beat me to that comment!

CrAz3D

What is the point of SHA-1 if you can't reverse it back to the original info?!
rebundance - having or being in excess of sheer stupidity
(ré-bun-dance)
Quote from: Spht on June 22, 2004, 07:32 PMSlap.
Quote from: Adron on January 28, 2005, 09:17 AMIn a way, I believe that religion is inherently evil, which includes Christianity. I'd also say Christianity is eviller than Buddhism (has more potential for evil).
Quote from: iago on April 19, 2005, 01:06 PM
CrAz3D's ... is too big vertically, at least, too big with ... iago ...

iago

It's designed as a one-way hash.  You can encrypt passwords and not worry that Blizzard are goign to turn them back into regular passwords.  It can also be added to an encrypted message to ensure that the message hasn't been tampered with.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


CrAz3D

What about avalibility?  ;)

I still don't understand the point of something you can reverse
rebundance - having or being in excess of sheer stupidity
(ré-bun-dance)
Quote from: Spht on June 22, 2004, 07:32 PMSlap.
Quote from: Adron on January 28, 2005, 09:17 AMIn a way, I believe that religion is inherently evil, which includes Christianity. I'd also say Christianity is eviller than Buddhism (has more potential for evil).
Quote from: iago on April 19, 2005, 01:06 PM
CrAz3D's ... is too big vertically, at least, too big with ... iago ...

iago

Quote from: CrAz3D on February 15, 2005, 10:06 PM
What about avalibility?  ;)

I still don't understand the point of something you can reverse

Sorry, I edited my post, got rid of that nonsense (fine, valuble but irrelevant information).  Read it again, I explained it better.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


CrAz3D

What is the point of the password thing?  Do you just check to see the the SHA-1 of the password that is sent to BNET is same as what they compare it to?
rebundance - having or being in excess of sheer stupidity
(ré-bun-dance)
Quote from: Spht on June 22, 2004, 07:32 PMSlap.
Quote from: Adron on January 28, 2005, 09:17 AMIn a way, I believe that religion is inherently evil, which includes Christianity. I'd also say Christianity is eviller than Buddhism (has more potential for evil).
Quote from: iago on April 19, 2005, 01:06 PM
CrAz3D's ... is too big vertically, at least, too big with ... iago ...

iago

Quote from: CrAz3D on February 15, 2005, 10:21 PM
What is the point of the password thing?  Do you just check to see the the SHA-1 of the password that is sent to BNET is same as what they compare it to?

Battle.net uses double-sha1's password.  This is what happens (for pre-war3 products):

When you create your account, you send them the SHA1 version of the password.  That password is stored by Battle.net.

When you log in, you SHA1 your password, alone.  Then you SHA1 your password along with the client and server token.  The server does the same thing, also hashing your SHA1'd password along with the client/server tokens.  Then you send your double-sha1'd password, where it is compared to the server's version.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


CrAz3D

OH!, k, makes more sense I guess.
rebundance - having or being in excess of sheer stupidity
(ré-bun-dance)
Quote from: Spht on June 22, 2004, 07:32 PMSlap.
Quote from: Adron on January 28, 2005, 09:17 AMIn a way, I believe that religion is inherently evil, which includes Christianity. I'd also say Christianity is eviller than Buddhism (has more potential for evil).
Quote from: iago on April 19, 2005, 01:06 PM
CrAz3D's ... is too big vertically, at least, too big with ... iago ...

quasi-modo

#11
Quote from: iago on February 15, 2005, 09:47 PM
Quote from: quasi-modo on February 15, 2005, 08:50 PM
uh oh. If I were storing any sensative data sha-1 woulda been my choice... guess it is still tougher than md5 though.

I'd worry if anybody stored sensitive data in sha-1, considering that one of the characteristics of sha-1 is that you can't convert it back to the original :P
It is great for dbs. You encrypt passwords / credit card numbers. It is not meant to be decrypted really. You encrypt an entry and match it. Ideally you would salt the password feild / whatever, with a userid feild or something.

Keep in mind: Even if you are on a server that has never been hacked into and the admins keep up with updates the admins can still see the passwords / credit card numbers / whatever else you are keeping. So you should encrypt everything you do not want anyone to see. If you use a 2 way algorythm your key has to be stored somewhere and the admin will be able to use it to decrypt the stuff so you are back where you started.

ps: If passwords, ssns, and credit card numbers, are encrypted in sha-1 (used for identification purposes) then sensative data is being stored in sha-1 correct?
WAR EAGLE!
Quote(00:04:08) zdv17: yeah i quit doing that stuff cause it jacked up the power bill too much
(00:04:19) nick is a turtle: Right now im not paying the power bill though
(00:04:33) nick is a turtle: if i had to pay the electric bill
(00:04:47) nick is a turtle: id hibernate when i go to class
(00:04:57) nick is a turtle: or at least when i go to sleep
(00:08:50) zdv17: hibernating in class is cool.. esp. when you leave a drool puddle

iago

It's not being "stored" 

tr.v. stored, stor·ing, stores
   1. To reserve or put away for future use.

You can't use it one it's hashed.

Anyway, the problem with SHA-1 likely won't affect its security for storing passwords and such; it will affect SHA-1's that are being used to verify documents
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


quasi-modo

#13
Quote from: iago on February 18, 2005, 05:37 PM
It's not being "stored" 

tr.v. stored, stor·ing, stores
   1. To reserve or put away for future use.

You can't use it one it's hashed.
That is correct. I was just 'going by a different deffinition' I guess.
I mean once it is hashed it is not useless.... The user types a pass that then gets encrypted and then you can match the two up and then the user entered the correct pass if they match. But I agree that no data can be gathered from the hashed values because sha-1 is a one way encryption algorythm.
WAR EAGLE!
Quote(00:04:08) zdv17: yeah i quit doing that stuff cause it jacked up the power bill too much
(00:04:19) nick is a turtle: Right now im not paying the power bill though
(00:04:33) nick is a turtle: if i had to pay the electric bill
(00:04:47) nick is a turtle: id hibernate when i go to class
(00:04:57) nick is a turtle: or at least when i go to sleep
(00:08:50) zdv17: hibernating in class is cool.. esp. when you leave a drool puddle

j0k3r

Quote from: quasi-modo on February 18, 2005, 05:23 PM
It is great for dbs. You encrypt passwords / credit card numbers. It is not meant to be decrypted really.
What would be the purpose of SHA-1'ing a credit card number, would they not need it for billing purposes?
QuoteAnyone attempting to generate random numbers by deterministic means is, of course, living in a state of sin
John Vo