Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SHA1 crypto algorithm underpinning Internet security could fall by 2018
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SHA1 crypto algorithm underpinning Internet security could fall by 2018

24khost24khost Member
edited October 2012 in General

Okay so ars technica has an article suggesting that all device and web programmers need to start making there way away from sha1 to sha3 ( as soon as it's available ). I always see people using md5 hashes and still using it to protect passwords. Does we really need to start programming worrying about collision testing?

http://arstechnica.com/security/2012/10/sha1-crypto-algorithm-could-fall-by-2018/

Thanked by 1jaakka

Comments

  • Shouldn't be using any fast hashing algorithms for protecting passwords anyways, not md5, not sha1, and not even sha3. You should be using something slow, like bcrypt.

  • gbshousegbshouse Member, Host Rep

    First of all read this and this than move your code to SHA2 (SHA256 minimum, SHA512 should be enough for now). Beside that use only FIPS compliant libraries (for example OpenSSL)

  • @NickM said: Shouldn't be using any fast hashing algorithms for protecting passwords anyways, not md5, not sha1, and not even sha3. You should be using something slow, like bcrypt.

    ^ this.

    Any hashing algorithm is insecure due to the fact that it is not designed to hash password. It was designed to calculate checksum or message integrity. Hashing algorithm is optimised for CPU thus is vulnerable to brute-force attack. Bcrypt is the way to go

    http://www.phptherightway.com/#password_hashing_with_bcrypt

  • gbshousegbshouse Member, Host Rep

    @haphan - from the theoretical point of view bcrypt slowness is by design but try to use it in large scale setups when you need to calculate "hashes" as quick as possible. From the practical point of view SHA256/512 with salt is enough. Beside bcrypt it not FIPS compliant so it can't be used in any "enterprise" class project

  • vdnetvdnet Member
    edited October 2012

    Using md5 in combination with another stronger cipher is my recommendation. Keeps the string nice and neat and adds one more layer of protection.

  • 2018? Too late. It's best to avoid SHA1 and MD5 for anything critical if used alone. Security evolves very rapidly these days unfortunately.

  • @gbshouse said: Beside bcrypt it not FIPS compliant so it can't be used in any "enterprise" class project

    WHy should i, if i owned a company, care if the algorithm i'm using is FIPS complaint or not?

  • gbshousegbshouse Member, Host Rep

    @gsrdgrdghd - someday some gov. agency or third party working for gov. agency will be interested in your offer/product whatever... use your imagination :)

  • Well the reason I posted in the first place is alot of software out there (whmcs, most cms applications) still use md5 or md5+salt. Trying to figure out why they don't use sha1+salt.

  • KairusKairus Member
    edited October 2012

    @24khost said: Well the reason I posted in the first place is alot of software out there (whmcs, most cms applications) still use md5 or md5+salt. Trying to figure out why they don't use sha1+salt.

    Probably low priority and every password would have to be reset, probably not worth the potential mess ups (people always mess up).

  • Even slow crypt methods such as blow fish is deciphered too, why are you even saying that hashing algorithm are reliable? Whatever they come up with, SHA3 hashing, it is still going to be deciphered because HASHING algorithm are WORSE than CRYPT algorithms.

    Just create your own hashing or ciphering method.

  • @GIANT_CRAB said: Just create your own hashing or ciphering method.

    This. I personally have my own method that essentially encrypts a users password using their password as the key. There is a lot more to it than just that, including randomly generated salts, but the end result is that in order to decrypt the passwords, you'd need the passwords. To decrypt all of the passwords in a database, one would need to brute force every single encrypted password individually, which would take some time as I'm using a slow/complex cipher. I'm sure as technology progresses, I'll need to find an even more complex (slower) cipher within the next few years.

  • @GIANT_CRAB said: Just create your own hashing or ciphering method.

    "Anyone can invent an encryption algorithm they themselves can't break; it's much harder to invent one that no one else can break". Bruce Schneier

  • No matter how good your home-made password cipher method is, it's still going to be nowhere near as good as the industry standards. Chances are you're not an expert at cryptography, whereas the people writing the commonly used algorithms are. Your custom methods are security through obscurity, at best.

  • @GIANT_CRAB said: Even slow crypt methods such as blow fish is deciphered too, why are you even saying that hashing algorithm are reliable? Whatever they come up with, SHA3 hashing, it is still going to be deciphered because HASHING algorithm are WORSE than CRYPT algorithms.

    Please stop giving people incredible bad advice. How 'is blowfish deciphered'? And hashing algorithms being deciphered? What? You don't have any clue what you are talking about.

    Just create your own hashing or ciphering method.

    If you seriously think that you can "design" your own encryption and hashing functions i feel very sorry for you. I recommend you to work together with the Kryptochef on his "fullbit encryption"

  • I remember reading somewhere that to break a 192 bit blow fish key would physically require the same amount of energy as is contained in our sun.

    Personally, I've found home made encryption to be extremely effective, the whole concept of industry standard being better is something they've ingrained into people's minds because they are afraid of people using something that they(investigation agencies) will have no clue how to decrypt.

    Funny story I made a compression algorithm a little while back and I'm 100% certain that no one on this planet other than me can decompress the messages without a unique key that is included in the compressed file. In other words I created a perfect encryption method and I wasn't even going for encryption. I don't really want to share the method and I don't really know how to monopolize on it either, so you'll probably never see it.

  • So no way to prove or disprove your theory

  • 24khost I'm pretty sure akumaburns post is a satire

Sign In or Register to comment.