SAN FRANCISCO, Calif A team of three Chinese researchers have compromised the SHA-1 hashing algorithm at the core of many of today's mainstream security products. Top cryptographers said users can still rely on today's SHA-1-based systems and applications, but next-generation products will need to move to new algorithms.
In a panel discussion at the RSA Conference here Tuesday (Feb. 15), Adi Shamir, a celebrated cryptographer and professor at Israel's Weizmann Institute of Science, said he received an email that morning containing a draft technical paper from the research team of Xiaoyun Wang, Lisa Yiqun Yin, and Hongbo Yu who have links to Shandong University in China.
The paper described how two separate documents could be manipulated to deliver the same SHA-1 hash with a computation of lower complexity level than previously believed possible.
The SHA-1 hash is broadly used to create digital certificates. It is a key technical underpinning of Secure Sockets Layer, a private-key technology used broadly to send secure information such as credit card numbers over the Internet.
In addition, a handful of chipmakers—including Atmel, Infineon, National Semiconductor and STMicroelectronics-- use SHA-1 as the basis for so-called Trusted Platform Modules (TPMs) at the heart of an industry effort to provide a hardware root of trust in PCs and other devices.
Shamir and others said they believe the work of the Chinese trio will probably be proven to be correct based on their academic reputations, although details of the paper are still under review.
"This will create big waves in my opinion. It's extremely important to develop new kinds of hashing algorithms," said Shamir in the panel session at RSA. "No one should be extremely worried or change designs of existing systems or programs, however this diminishes our feeling of security in digital certificates in general," he added.
"This break of SHA-1 is stunning," said Ronald Rivest, a professor at MIT who co-developed the RSA algorithm with Shamir. "Digital signatures have become less secure. This is another reminder that conservatism is needed in the choice of an algorithm," added Rivest at the panel session.
Rivest noted that one member of the China team, Lisa Yin, was a PHD student who studied under him at MIT. Another member of the team was responsible for cracking the earlier MD5 hashing algorithm.
"I have strong reasons to believe the results [of the paper] are correct," Rivest said.
Using the approach described by the China researchers, a hacker could create two very different documents that had the same hash, and thus appeared to be digitally secure. However the documents probably would need to include data types beyond simple ASCI text such as images or logos, Rivest said.
A variety of technologists reacted to the news in a Q&A session with the panel later in the day.
"This means everyone needs to revise their products but it is hard to say when. We don't have to do it right awaycertainly in the next release of the OS," said a Microsoft Corp. manager responsible for some of the company's network security products.
"They are going to go nuts," said a technical advisor to the American Bar Association, trying to assess the legal implications of the news.
"I think we will have enough time to work on this," said Whitfield Diffie, chief security officer with Sun Microsystems who also sat on the panel. Sun has not committed SHA-1 to silicon, although it may have hardware support for the algorithm, he said.
Atmel implemented SHA-1 in hardware in its TPM devices now used in computers from IBM Corp. and others, said a company representative at the RSA Conference. Infineon has dedicated registers for SHA-1 in its TPM products, said a company spokesperson here.
Perhaps anticipating the news, the National Institute of Standards and Technology issued a recommendation earlier this month that developers move to SHA-256 and SHA-512 algorithms by 2010.
"NIST might need to accelerate its schedule," said Mark Willet, a research director working on security at Seagate Technology upon hearing the news.
"These aren't severe massive compromisesas long as upgrades get made in reasonable engineering time," said Paul Kocher, a security specialist also on the panel at the RSA Conference.