Fw: Relying on encryption is iffy. Undisclosed encryption is iffier.

["David Webber \(XML\)" <david@drrw.info>]

FYI, 

Horrible pun on 'red flag' - but then that's what
copy editors do!

DW

> # "Crack in Computer Security Code Raises Red Flag"
> Wall Street Journal (03/15/05) P. A1; Forelle,
> Charles
> 
> A flaw in a "hash function" technique for
> encrypting online data has been uncovered by a
> team of Chinese researchers at Shandong
> University, and this has raised alarms in the
> computer security industry because it casts doubt
> on the so-called impenetrability of hash
> function-based cryptography. The researchers
> found the vulnerability using the SHA-1 hash
> algorithm, a federal standard circulated by the
> U.S. National Institute of Standards and
> Technology (NIST) that is also considered to be
> cutting edge as well as the most popularly
> employed hash function. The Shandong team learned
> that "collisions," in which two different chunks
> of data yield the same hash, can be uncovered in
> SHA-1 far faster than previously thought.
> Cryptographers say the exploitation of the flaw,
> though seemingly impractical, could affect
> applications involving authentication,
> theoretically enabling a hacker to erect a bogus
> Web site with convincing security credentials and
> steal data sent to it by unsuspecting users.
> Counterpane Internet Security CTO Bruce Schneier
> confirms the existence of the SHA-1 flaw, which
> the Chinese researchers have not publicized. NIST
> is advising federal agencies to keep SHA-1 out of
> any new applications, and urging them to devise
> plans to eliminate SHA-1 from existing
> applications. Recently demonstrated
> vulnerabilities in other hash functions such as
> MD4 and MD5--which SHA-1 is based on--have also
> made cryptographers nervous. Concerns about
> information security are at an all-time high even
> without revelations about hash functions'
> vulnerability, most recently thanks to break-ins
> at data aggregators LexisNexis and ChoicePoint. 
>