Tuesday, March 15, 2005

SHA-1 Hash Flaw Draws Serious Industry Response

Last month, news reports that academic researchers in China had found a flaw in the widely used SHA-1 hashing algorithm raised a few eyebrows but quickly passed from the headlines.

Fast forward a month, and today's Wall Street Journal has a front page story about raising red flags over this story.

SHA-1 hashes a 160-bit "key" that was thought to be unique for each message. That would ensure a recipient, for instance, that an e-mail had not been tampered with. SHA-1 is widely used in Internet commerce (e.g., money) and in a number of authentication systems built into commercial products such as Virtual Private Networks (VPNs).

What a difference a month makes. The Wall Street Journal story paints a different story from the initial blase reactions. Security specialists and product developers looked at the evidence from the Chinese research and found an exploitable flaw. The security industry will jettison SHA-1 as soon as it can -- and hope a hack that exploits the flaw dose not appear first.

Bottom Line: In this case, last month's smoke becomes this month's fire. The SHA-1 flaw is serious and deserves attention by vendors and enterprises which use it in their customer- and partner-facing applications.

The unstated fear is that the bad guys will find an unpublished flaw in some other critical Internet security feature, and create chaos through lack of trust in online commerce. Should the $20 billion Internet commerce market lose consumer and business confidence, it could crash overnight. Not my Cassandra scenario, mind you, but it's very sobering to realize that the world is coming to depend on fragile technology -- and may not know how large the risk is.

Peter S. Kastner

No comments:

Post a Comment

All comments are moderated.

Note: Only a member of this blog may post a comment.