March 4, 2005 – (HOSTSEARCH.COM) – Chinese researchers, primarily from Shandong University were recently able to crack the SHA-1 or Secure Hash Algorithm which is widely used to encrypt internet communications such as banking transactions, consumer purchases of goods, as well as email like Microsoft Security Updates. What does this mean in the bigger picture? Is it still safe to buy things online? Let’s take a look at the facts. First, what exactly is SHA-1?
SHA-1 is an algorithm used to generate big irreproducible numbers. It is used to ‘hash’ communications or give them a unique digital signature. This keeps online thieves from counterfeiting another person’s ID.
It’s like a random number generator. When the algorithm is run it will produce something like this; SHA#e3b445c2a6df44df81ef46b54d386da23ce8f3775. It's big, but small enough to post or send around in email. To be effective it has to produce a different result every time it's run. This is called being "collision-free".
Gavin Maxwell of Fairfax Digital explains the significance of the SHA-1 crack like this, ”The Shandong team have shown that collisions can be found in 2^69 operations - 2048 times faster than a brute force attack. 2^80 is a very large number of operations. If I had a computer that was capable of performing 3 billion comparisons every second, how long would that take? Hmm, roughly 12 million years! Using the same computer to perform 2^69 comparisons would take somewhere in the order of 6000 years.”
In other words, the kid next door isn’t going to tap into your DSL line and decrypt the account information for your credit card with his Play Station. Or is he?
The new Cell chip in the Play Station 3 will be able to process 256 billion floating point operations per second (256 gigaflops) once it’s refined. In other words, that brings down the time from 6,000 years to 70. OK, so I guess Matthew Broderick will be long dead by the time he gets done decoding the password to your account.
Still, it certainly didn’t take Shandong University 6,000 years to crack SHA-1 and there are criminal organizations out there with a lot more economic clout than Shandong U let alone the kid next door. Spamhaus recently reported that MCI made as much as $5 billion per year hosting viral zombie spammer Send-Safe.com. And that’s just what MCI made from Send-Safe.com. NOT what Send-Safe made.
Spammer Jeremy Jaynes was found guilty last November by a state court in Virginia of sending more than 10 million unsolicited emails a day. He is estimated to have earned around $750,000 a month.
Could a criminal or criminal organization with this kind of economic clout afford to put together a supercomputer that could crack SHA-1 in short order? Is it reasonable to think that a criminal organization exists that would do this?
ChoicePoint, which began in 1997 as a company that sold credit data to the insurance industry became an all-purpose commercial source of personal information about Americans, with billions of details about their homes, cars, relatives, criminal records and other aspects of their lives. Recently, the company inadvertently sold as many as 500,000 records of consumer data to criminals last year. The thieves operated for over a year and have used the information to defraud at least 750 people so far. “I wish we would have caught it sooner,” ChoicePoint CEO Derek Smith said.
With so much to gain it’s hard not to imagine a mafia Beowulf cluster supercomputer crunching away somewhere on ChoicePoint’s other 19 billion public records.
Still, the ChoicePoint case illustrates that social engineering is still a much easier route for criminals than hacking the SHA-1.
And before you go and take all of your money out of the bank and hide it under the bed there is already new encryption technology in the works that makes SHA-1 look like A=1, B=2, C=3.
The new method uses quantum entanglement based on ‘Heisenberg's uncertainty principle’.
Magiq Technologies has already signed an agreement with Cavium Networks to produce the theoretically unbreakable quantum encryption system for high speed networks.
Magic describes the process like this, “The direction in which the photons oscillated, their polarization, represented the 0s or 1s of a series of quantum bits, or qubits. The qubits constituted a cryptographic "key" that could be used to encrypt or decipher a message. What kept the key from prying eavesdroppers was Heisenberg's uncertainty principle--a foundation of quantum physics that dictates that the measurement of one property in a quantum state will perturb another. In a quantum cryptographic system, any interloper tapping into the stream of photons will alter them in a way that is detectable to the sender and the receiver. In principle, the technique provides the makings of an unbreakable cryptographic key.”
An entangled photon cryptographic system based on the same laws of physics was developed by Anton Zeilinger and the University of Vienna and the Austrian company ARC Seibersdorf Research. A test transfer of money between Vienna City Hall and Bank Austria Creditanstalt has already been performed as well. In this system the pairs of entangled photons used were generated by firing a laser through a crystal to effectively split single photons into two. One photon from each entangled pair was then sent from the bank to the city hall via optic fibre.
Any attempt to intercept the photons in transit to determine their key would be immediately obvious to those monitoring the state of the other photons in each pair and thus the system is unbreakable although perhaps susceptible to disruption.
So perhaps the first question you should ask of your next web host, bank, or online store before you spend a penny is, “Got quantum encryption?”
