Wednesday, February 16, 2005

632dbcaffc e931aaca83 85ce154ab6 9a240ca2eb

(The title is the SHA-1 hash of the sentence "if you can read this, SHA-1 is broken.", with some spaces inserted to prevent word-wrap issues.)

According to Bruce Schneier, "SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing." SHA-1 is a cryptographic hash function that keeps digital transactions 'safe', or did up until now anyway.

'Broken' means that researchers have figured out a way to generate hash collisions (I've written about these before). Which basically means that even though an attacker still can't figure out the original data whose hash is being used to provide security, they could theoretically come up with some other data that mapped to the same hash.

A computer generally doesn't store things like passwords and validation codes, because if someone got their hands on that info the security would be blown wide open. Instead of storing passwords, for instance, the computer stores a hash of the password. When you supply a password as you are logging in, the computer takes the password, hashes it, and compares the hashes. If they are identical, you are legit.

Microsoft's Xbox copy-prevention routines rely solely on SHA-1; most crypto applications use SHA-1 as part of a larger and much more complex algorithm. So for most things (like online $ transactions) this isn't anything to fear, it's just a chink in the wall that can (and will) be chipped away at over time until a true security breach occurs. By then everyone will have moved on to the Next Thing, whatever it turns out to be.

Wikipedia has a great info page on SHA-1 if you're interested in learning more.