- FBI warns Hit Man e-mail scammer back
- 20 tech habits to improve your life
- Industry mourns slain Cisco exec
- 10 Firefox add-ons for better browsing
- Wireless LANs face scaling challenges
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
GAITHERSBURG, Md. - Industry experts agree that the future of two widely used security algorithms is fated, but with no clear alternatives in sight, products that rely on them may have to remain "good enough" for some time.
Secure Hash Algorithm-1 (SHA-1) and Message Digest 5 (MD5 ) were the topics of much discussion at the National Institute of Standards and Technology's Cryptographic Hash Workshop held last week. Both are hash functions developed in the early 1990s that generate unique strings of values most often used for encrypting and decrypting digital signatures, and both have been exposed as vulnerable within the past year. Products and services from companies such as IBM, Adobe and VeriSign rely on digital certificates to verify sender and receiver identities.
"SHA-1 is a wounded fish in shark-infested waters, but I'm more worried about MD5 because it's used everywhere," said Niels Ferguson, a cryptographer with Microsoft. "Try to switch away from SHA-1 as quickly as you can, but switch away from MD5 first," he said, when asked what his recommendations were.
About a year ago, "collisions" with MD5 came to light. Collisions occur when two messages have the same hash value, which compromises the authentication of the messages. In February, similar findings were unveiled regarding SHA-1. In the latter case, the collision was not actually performed, but research scientists at a Chinese university highlighted the vulnerability by describing how such an occurrence could be constructed.
Because actual collisions have occurred with MD5, many presenters at the conference dismissed the algorithm as compromised. Ferguson told the story of a man in Australia who was fighting a traffic violation in court and argued that the evidence against him was invalid because the traffic camera used MD5, which is considered a broken algorithm. The judge threw the case out, Ferguson said.
Much of the conference's discussion focused on potential fixes or replacements for SHA-1, but one presenter warned that new hash functions won't emerge for a while. "SHA-1 needs to be replaced, but that replacement isn't known yet, and it's going to take years to develop," said Steven Bellovin, a professor at Columbia University.
In the meantime, debate continues over whether SHA-1 should still be used at all. Participants in the recommendations panel agreed that users should not include SHA-1 in new projects, but that continued use of existing products may be unavoidable.
Rss FeedRss Feed
Aging network systems and old habits have dictated how businesses spend their IT budgets. As a...
Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch OfficesThis paper reviews the problem of creating a network where the dynamic availability of services is...
Enterprise Data Center Network Reference ArchitectureUsing a High Performance Network Backbone to Meet the Requirements of the Modern Enterprise Data...
The standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Harnessing the power of communications to increase workplace performanceDue to the convergence of IT and telecommunications technologies, the business workplace has been...
Stay out of the headlines: Detecting and preventing network intrusionsHow do YOU stay out of the headlines? There is no denying that risk exists in our computer-driven...
We have so many holes punched in our firewalls today that many industry insiders question the value...
IP address management in 2008 - six things to knowRead this Network World Special Brief to learn how Enterprise IT managers must update their...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.
Download the white paper.
Unauthorized applications: Taking back control
Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?
Download the white paper.
Comment