| Submit your comments on this article | |
| China-Japan-Koreas | |
| China breaks SHA-1 code? | |
| 2005-03-13 | |
| The U.S. code-breaking community is worried about China's advances in cracking U.S. codes. Three Chinese cryptologists last month reported they had found a way to crack a U.S. government-approved information security system known as SHA-1, or Secure Hash Algorithm-1. The SHA-1 encryption is used widely within the U.S. government, including the Pentagon and U.S. intelligence community. It is currently the Federal Information Processing Standard and has been since 1994. Put simply, SHA-1 is a security authentication device that is used to verify the integrity of digital media, and to make sure that data or messages, such as secure e-mail, are not changed during transmission. Chinese researchers, Xiaoyuan Wang, Yiqun Lisa Yin and Hongbo Yu reported in a paper Feb. 13 that they had "developed new techniques that are very effective" for breaking SHA-1 code, without using time-consuming "brute force" attacks. The National Institute of Standards and Technology (NIST), which made SHA-1 a federal standard, said in a statement that it could not confirm the Chinese code-breaking but noted that the three researchers are "reputable" specialists with cryptographic expertise. NIST said the new "attack" or code-breaking "is of particular importance in digital signature applications, such as time-stamping, and notarization." But the institute sought to play down the implications of the Chinese claim, stating that the method described in the paper will be "difficult to carry out in practice." Still, the U.S. government is phasing out SHA-1 over the next five years. "Due to advances in computing power, NIST already planned to phase out SHA-1 in favor of the larger and stronger hash functions (SHA-224, SHA-256, SHA-384 and SHA-512) by 2010," the statement said. Disclosure of the code break followed China's publication of a defense white paper in December that identifies the use of information technology as a central element of Chinese military doctrine. U.S. defense officials say China's military believes its cyber-soldiers can successfully cripple the U.S. military by attacking key computer-run infrastructures and other information networks.
"This could potentially allow them to access sensitive systems," he said. "However, from what small knowledge I do have of how secure data links get set up for some kinds of DOD projects, I think it would be very difficult to exploit the SHA-1 [code break] to their advantage." The danger, he noted in an e-mail, is that China could exploit a security lapse in U.S. government networks and systems. Mr. Spisak said as long as U.S. government computers are properly protected by multiple layers of defense and authentication mechanisms, "one can ensure it is sufficiently difficult to gain illegal access to sensitive networks and systems even with one part failing." But if proper security precautions are not taken, "then all bets could be off," he said. Bruce Schneier, a cryptography and security specialist, said the Chinese breakthrough is not alarming. But he noted that within the U.S. National Security Agency there is an old saying: "Attacks always get better; they never get worse." Quantum computing has almost relegated codes to the dustbin. Ironically, the solution will be in the use of unbreakable J.S. Bell communications systems. You can't break a code unless you intercept a code, and if there is only a single compatible transmitter/receiver pair in the universe, there is nothing you can do about it. | |
| Posted by:Anonymoose |
| #6 Why do they need to break the codes? Plenty of Chinese and ABC who have more loyalty to China than their adopted homeland. Just steal the data. |
| Posted by: gromky 2005-03-13 10:14:05 PM |
| #5 I've been out of the business for 6 years, but SHA is just a hashing algorithm. Does "breaking" it simply mean you found a way to know what changes in the text will produce what changes in the hash? You can't run the sausage grinder backwords, since the hash is only 20(?) bytes long. This could be used to tamper with digitally signed documents, I guess. But it can't be used to actually forge the signatures or timestamps. Though I suppose you could dink with the message until a hash came out that corresponded to one that your target did sign. But the timestamp would still be wrong. As I said, I left the field in 1999. |
| Posted by: jackal 2005-03-13 8:44:13 PM |
| #4 Yep, itn Smauve. |
| Posted by: Shipman 2005-03-13 8:18:23 PM |
| #3 That's not Signal Orange. That's some Ft. Lauderdale designer color. |
| Posted by: Shipman 2005-03-13 8:17:49 PM |
| #2 Wouldn't be surprised, Jonathan, and James Dunnigan reported here (StrategyPage) on Chinese cyberwarfare ... this **** is heating up real fast ... I'd feel more confident if we knew for sure how much farther ahead the US is than China, but that's not known to civilians for a good reason. |
| Posted by: Edward Yee 2005-03-13 2:32:02 PM |
| #1 I wonder if the taking of the P3 intelligence aircraft contributed to the Chinese advances in code breaking. I don't think the crew had a chance to destroy all of their equipment. |
| Posted by: Jonathan 2005-03-13 1:34:34 PM |