[ISN] Inside the Ring

InfoSec News isn at c4i.org
Mon Mar 14 04:47:23 EST 2005


http://washingtontimes.com/national/20050311-123922-9537r.htm

By Bill Gertz and Rowan Scarborough
THE WASHINGTON TIMES
March 11, 2005 

[...]

China breaks code?
    
The U.S. code-breaking community is worried about China's advances in
cracking U.S. codes.
    
Three Chinese cryptologists last month reported they had found a way
to crack a U.S. government-approved information security system known
as SHA-1, or Secure Hash Algorithm-1.
    
The SHA-1 encryption is used widely within the U.S. government,
including the Pentagon and U.S. intelligence community. It is
currently the Federal Information Processing Standard and has been
since 1994.
    
Put simply, SHA-1 is a security authentication device that is used to
verify the integrity of digital media, and to make sure that data or
messages, such as secure e-mail, are not changed during transmission.
    
Chinese researchers, Xiaoyuan Wang, Yiqun Lisa Yin and Hongbo Yu
reported in a paper Feb. 13 that they had "developed new techniques
that are very effective" for breaking SHA-1 code, without using
time-consuming "brute force" attacks.
    
The National Institute of Standards and Technology (NIST), which made
SHA-1 a federal standard, said in a statement that it could not
confirm the Chinese code-breaking but noted that the three researchers
are "reputable" specialists with cryptographic expertise.
    
NIST said the new "attack" or code-breaking "is of particular
importance in digital signature applications, such as time-stamping,
and notarization."
    
But the institute sought to play down the implications of the Chinese
claim, stating that the method described in the paper will be
"difficult to carry out in practice."
    
Still, the U.S. government is phasing out SHA-1 over the next five
years. "Due to advances in computing power, NIST already planned to
phase out SHA-1 in favor of the larger and stronger hash functions
(SHA-224, SHA-256, SHA-384 and SHA-512) by 2010," the statement said.
    
Disclosure of the code break followed China's publication of a defense
white paper in December that identifies the use of information
technology as a central element of Chinese military doctrine.
    
U.S. defense officials say China's military believes its
cyber-soldiers can successfully cripple the U.S. military by attacking
key computer-run infrastructures and other information networks.
    
Daniel E. Spisak, a private security engineer, said China is capable
of building its own SHA-1 "cracker" using computers.
    
"This could potentially allow them to access sensitive systems,"  he
said. "However, from what small knowledge I do have of how secure data
links get set up for some kinds of DOD projects, I think it would be
very difficult to exploit the SHA-1 [code break] to their advantage."
    
The danger, he noted in an e-mail, is that China could exploit a
security lapse in U.S. government networks and systems.
    
Mr. Spisak said as long as U.S. government computers are properly
protected by multiple layers of defense and authentication mechanisms,
"one can ensure it is sufficiently difficult to gain illegal access to
sensitive networks and systems even with one part failing."
    
But if proper security precautions are not taken, "then all bets could
be off," he said.
    
Bruce Schneier, a cryptography and security specialist, said the
Chinese breakthrough is not alarming. But he noted that within the
U.S. National Security Agency there is an old saying: "Attacks always
get better; they never get worse."

[...]





More information about the ISN mailing list