上周四(12日)法国电脑科学家Antoine Joux宣布,已在常用的一种演算法中,找到一个弱点;这种演算法称为“MD5”(讯息摘要5),常搭配数字签名(digital signature)使用。紧接着,四位中国研究员发布报告指出,有办法破解另一种称为“SHA-0”(安全杂凑演算法0)的演算法。


第三个可能更具爆炸力的宣布,订于周二(17日)晚间在加州圣塔芭芭拉举行的Crypto 2004会议上发布。

以色列科技研究所研究员EliBiham和Rafi Chen原本计划在会中发布报告,指出几种破解“SHA-0”演算法安全功能的方法。现在,他们打算在会议中进一步谈论有关“SHA-1”演算法的“劲爆消息”。这场会议订于太平洋夏令时间17日晚间7时开始。



Crypto 2004会议总主席Storage Tek高级研究员Jim Hughes 17日早晨表示,此讯息太重要了,因此他已筹办该会成立24年来的首次网络广播(Webcast)。在传至加密学相关邮件清单的投书中,Hughes透露:“会中将提出三份探讨杂凑冲撞(hash collisions)重要的研究报告。”其中一份是Joux的研究发现。



安全应用程序的防护机制是建筑在指纹档的独一无二性之上。万一某个不怀好意的黑客有办法以不同的信息内容产生相同的指纹档,则那个复制指纹档——即“杂凑冲撞”(hash collision)——就会把被植入后门的软件确认为安全无虞,可供使用者下载和执行。这么一来,有心人士便可趁机假冒电子邮件签名,指示把某人的银行帐户搬空。



“MD5”演算法的弱点是更迫在眉睫的威胁。开放源代码的Apache网络服务器产品使用“MD5”杂凑,以确保数十个映像网站上的源代码不被窜改,可安全执行。Sun Solaris Fingerprint Database也采用相同的杂凑演算法技术。




Digital signatures could be forged, claim boffins

August 18 2004

by Declan McCullagh

Weakness exposed in the mathematical algorithms …

Encryption circles are buzzing with news that weaknesses in the mathematical functions of digital signatures could allow them to be forged.

French computer scientist Antoine Joux first claimed to have uncovered a flaw in a popular algorithm called MD5, often used with digital signatures. Then four Chinese researchers released a paper that reported a way to circumvent a second algorithm, SHA-0.

While their results are preliminary, these discoveries could eventually make it easier for intruders to insert undetectable back doors into computer code or to forge an electronic signature - unless a different, more secure algorithm is used.

A third announcement, which was even more anticipated, took place on Tuesday evening at the Crypto 2004 conference in California. Eli Biham and Rafi Chen, researchers at the Israel Institute of Technology, originally were scheduled to present a paper identifying ways to assail the security in the SHA-0 "Secure Hash Algorithm," which was known to have imperfections. In a presentation on Tuesday evening, however, Biham reported some early work toward identifying vulnerabilities in the SHA-1 algorithm, which is believed to be secure.

Biham's presentation was very preliminary, but it could call into question the long-term future of the wildly popular SHA-1 algorithm and spur researchers to identify alternatives.

Currently considered the gold standard of its class of algorithms, SHA-1 is embedded in popular programs like PGP and SSL. It's certified by the National Institute of Standards and Technology and is the only signing algorithm approved for use in the US government's Digital Signature Standard. SHA-1 yields a 160-bit output, which is longer than MD5's 128-bit output and is considered more secure.

Jim Hughes, general chairman of the Crypto 2004 conference, said on Tuesday morning that the news was sufficiently important that he was organising the first Webcast in the conference's 24-year history. "There are three significant rump session papers on hash collisions that will be presented," including an update on Joux's findings, Hughes said in a message to a cryptography-related mailing list.

"If you could find two contracts that hash out to the same signature, you could replace one with the other and in a court of law there would be at least an ambiguity about which one is valid," Hughes, a senior fellow at StorageTek, said in a telephone interview. "That's a very significant possibility."

The MD5, SHA-0, and SHA-1 algorithms are known to computer scientists as hash functions. They take all kinds of input, from an email message to an operating-system kernel, and generate what's supposed to be a unique fingerprint. Changing even one letter in the input file results in a completely different fingerprint.

Security applications rely on these fingerprints being unique. But if a malicious attacker could generate the same fingerprint with a different input stream, the cloned fingerprint - known as a hash collision -- would certify that software with a back door is safe to download and execute. It would help a crook who wanted to falsely sign an email instructing that someone's bank account be emptied.

Declan McCullagh writes for CNET

