Work Under Way on New Cryptographic Algorithms

Attacks against cryptographic algorithms recently made headlines when a group of researchers from the United States and Europe demonstrated at the 25th Annual Chaos Communication Congress in Berlin how they could create forged digital certificates based on the MD5 (Message-Digest algorithm 5) hashing algorithm using about 200 Sony PlayStations. The MD5 hash function was used to create some of the digital certificates used by VeriSign to authenticate Websites.

Hash functions are used to create public-key algorithms to encrypt files and generate digital signatures for Websites and to authenticate applications, as well as in authentication schemes for a wide variety of applications and products including Secure Sockets Layer for communicating over the Web and within VPNs. Hash values can also be used as fingerprints for detecting duplicate data files, file version changes, and similar applications, or as checksums to guard against accidental data corruption.

The cracking of MD5 meant that forged digital certificates could be created to fool Website visitors into thinking a bogus Website was, in fact, legitimate -- an obvious potential boom for phishing sites. Shortly after the researchers' announcement, VeriSign moved to update all of the certificates it issued using MD5 to SHA-1 (Secure Hash Algorithm-1).

Security analysts have been urging organizations to stop using the aged MD5 algorithm for a number of years and to replace it, at the very least, with SHA-1. But, increasingly, experts say SHA-1 may only have a few years of usefulness left before it no longer provides a viable level of security.

"Weve got MD5 today, which is completely broken, but too many people are still using," says Paul Kocher, president and chief scientist of Cryptography Research, who helped author the SSL 3.0 standard. "And the recent work completed by researchers showed how easily MD5 certificates could be forged." But, Kocher adds, those organizations that have upgraded to SHA-1 may be looking at a situation where they'll have to update that aging algorithm in the next few years."It's never clear when the next chink will appear in SHA-1's armor," says Kocher. One big chink in the armor of SHA-1 came in 2005 when several researchers from the University of China demonstrated a successful collision attack at 2**69 hash operations. Most encryption experts believe it's just a matter of years before SHA-1 is broken further. "Watching these algorithms fade is a lot like watching paint dry, which in one sense is good, because it will give us some time to get away from SHA-1," says Kocher.

The National Institutes of Standards and Technology (NIST) isn't waiting for SHA-1 to fail. The standards body currently has an open competition under way to develop a new SHA-3 function that will replace the older SHA-1 and SHA-2 hash functions. The contest was announced in November 2007, and a new algorithm is expected to be published in 2012.

"What we’re generally recommending for customers now is that if they are using MD5, they should switch immediately to SHA-256. If they are using SHA-1, don't swap it out until we have the new algorithm available," Kocher explains. "That said, it's important to make preparations to switch in case there is an unpleasant surprise with another attack that weakens SHA-1 further."

For organizations interested in reviewing the recommended practices for handling federally approved hash functions, NIST has just released Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms. This publication provides guidelines on how to reach acceptable levels of security when using cryptographic algorithms approved in the Federal Information Processing Standard, or FIPS.

In October, NIST simplified FIPS with the release of FIPS 180-3. The standards body removed several technical specifics to help make FIPS more flexible to employ. NIST also increased the list of approved algorithms to the list, which currently include: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.NIST also released Special Publication 800-106, or Randomized Hashing for Digital Signatures, which details how to strengthen the cryptographic hash associated with digital signatures by scrambling the message. The computed hash functions associated with a document, or message, assure that the contents have not been altered.

In SP 800-107, NIST notes that while one cryptographic hash function is not suitable for one application, it might be suitable for other cryptographic applications that do not require the same security properties, and the publication goes on to detail the strengths of each of the approved algorithms, including collision resistance and pre-image resistance.

The documents may be worth a look, as three to four years may be too long a life expectancy to expect from SHA-1. Nonetheless, some of the early algorithms submitted to the NIST context look promising. "NIST is in the process now of winnowing the list down and trying to figure out whether any of the submissions meet all the requirements," Kocher says. "This process is bound to spur a lot of great research, and we'll probably good a good algorithm as a result. But they have to pick carefully, because we'll be living with the result for decades."