Posted on 03/16/2005 5:29:28 PM PST by Golden Eagle
Internet security takes a hit
Report says computer-code experts concerned after flaw discovered in popular encryption technique.
NEW YORK (CNN/Money) - The discovery of a crack in a commonly used Internet encryption technique raised concerns among government agencies and computer-code experts, according to a report by The Wall Street Journal.
"Our heads have been spun around," Jon Callas, chief technology officer at encryption supplier PGP Corp., told the newspaper.
The technique, called a "hash function," has been commonly used by Web site operators to scramble online transmissions containing credit-card information, Social Security numbers and other personal information.
Hash functions were thought to be impenetrable, but a team of researchers in China found that this encryption method was not as resistant to hackers than previously thought, according to the report.
(Excerpt) Read more at money.cnn.com ...
Candidate for most ignorant statement of the day.
All cryptographic algorithms are considered breakable by default, its just a question of when.
It's just a bit irresponsible to publish an article like this in the mainstream press without discussing the actual impact.
Truth is most end-user applications put precious little value on hash functions.
I've never been in the military, but I wouldn't be surprised if they used no encryption at all. I couldn't tell you how often I've been into systems where you would think they would use the highest security only to find it weak at best or nonexistent.
A dirty little secret in the world is that people love to pay lip service to high security, but eventually the human element overwhelms most systems and there are whole big enough to drive a truck through.
Anywhere from laziness of the IT staff, organizational culture, or social engineering risks. I'd be willing to bet that 80% of the systems right now are ripe for the picking.
They don't need to crack anything, they already enter most of the data. Social Security numbers, driving license numbers, credit card numbers, along with addresses are being sold every day.
Add to this news that the majority of spam (at least for me) has been originating from servers in China.....
"I've never been in the military, but I wouldn't be surprised if they used no encryption at all."
FYI, lots of info out there on HAIPE
_______________
This story appeared on Network World Fusion at
http://www.nwfusion.com/news/2003/0210nsasidenew.html
A better IPSec?
By Ellen Messmer
Network World, 02/10/03
One option for the military to secure its wireless LANs in the future might be to use a protocol under development by the National Security Agency.
The secretive protocol, dubbed High-Assurance Internet Protocol Encryption (HAIPE, pronounced "Hay-P"), would work across wireless and wired networks, handling key exchange, authentication and encryption. It will be designed to work with secret algorithms written by the government, but might be flexible enough to swap in published, unclassified ones.
"HAIPE is the government's version of IPSec, allowing a number of different algorithms to do key exchange," says John Droge, vice president of business development at Rainbow Mykotronx, which makes an encryptor for the military and its partners. The company's product, KIV-7, will support HAIPE once the protocol is completed, he says.
Anne Michael, director of security systems operations at vendor General Dynamics, says the NSA is intent on having the industry build equipment and write software in which encryption algorithms can be swapped out easily, unlike today. That will make it easier for companies to sell security products to the government and commercial sectors, she says.
The NSA, which has awarded contracts to work on HAIPE to Network Associates and BBN, among others, has not officially decided whether to openly publish the HAIPE specifications.
Um, hash is used to sign data, not encrypt it, I thought. The problem here will not be data security, but authenticity, which is probably almost as bad. Did I miss something?
Is this with computers and technology that the Klinton administration sold/gave/traded to them?
No, it's with their brand new copies of Red Hat Linux, they downloaded and renamed "Red Flag" for free. Seriously.
Pretty much on-target. Hashes are used mainly to verify that a given message has not been tampered with. This can be extremely useful in situations where the data doesn't need to be encrypted, but you would like to be able to verify that what you got was what was sent. Also, a hash like SHA-X is an excellent way of distilling this authenticity into a very small space. No matter how long the message, the hash is X-number of bytes.
I use hashes frequently to verify that an ISO image of a CD I'm preparing to burn. For instance, the MD5 hash of the Knoppix Version 3.6 (english) CD is "5bc8e9fee2a8be0b7180fcf3e49b5386". I have a program that can compute the hash for me, and I can verify the hash it listed with the hash Knoppix.org provides for the ISO. So, it doesn't matter where the mirror of the site is. I can download the file from B0Bz5uPerWarz.com if I want to, and know they haven't done anything bad to the image, like load a trojan into an ISO they created while trying to pass it off as the legitimate thing. If the hashes of my file, and the official site are identical, I can cut the disk without near as much worry of creating Yet Another Coaster.
You're probably aware of all of the above. I'm just typing for those unfamilar with why JoeBob might care about whether or not hashes are as safe as believed.
ping
If they're using those products to encode hash signatures then yes they could be vulnerable, it would depend on whether the system stored close to the entire finger or voice print, or just took a coordinate point prints for expediency. Thankfully though it appears the original article was extreme in it's claim of the "hash function" being cracked, but rather only one form was weakened. The mathematical methods to secure data are showing they can have a finite shelf life however, and full biometric encryption is inevitable for personal transactions.
Isn't MD5 considered one of the weaker ones these days? I thought SHA-1 had begun to gain popularity lately due to a more significant crack of MD5. Just who can you trust these days?!?!
He asked, I thought it best he knew what is so well covered up these days.
==================
Can anyone deny that the 'Chinese cryptographers' are working for Chicom - the Chines Communist Government?
And if so, during any future hostilities with the United States, would that decryption ability not wreak havoc on the Western (automated) economy?
I know the answer.
I think MD5 was still used for the password cache on NT 5, which by the way, would be a possible use for this exploit. But, my guess is that this discovery (somewhat obvious if you really think about it) would be best used in combination with some sort of social engineering to spoof your way into some valuable data. The MO for hackers is low hanging fruit and social engineering. Kevin Mitnick excelled at social engineering, and his attack of choice was session hijacking, so maybe this is a dangerous exploit after all.
If I remember right (not in security, but had some classes in school) the hash is encrypted with the data. That is, first you decrypt what you recieved with the public key, then you verify the authenticity by hashing the message/data and comparing that to the hash you just decrypted. Encrypting data with your private key says it is you, and encrypting with someone else's public key makes them the only possible recipient. It all made sense at one time, but I guess I already forgot it all.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.