Hashes, Pigeon Holes and The Danger of Signing

Hashes cracked!

Thats the headline I've been expecting to post for a while. Yet it still does not seem to be the cutting news it was expected to be.

Having said that the Crypto '04 rump session has everybody looking at their reliance on hashes, while there may be some situations that will need to beware of, the developing consensus is that this is not a problem. Yet...

A hash will have collisions, hence the reference to pigeons in the title. What was disturbing about the crack was that it was not just random collisions but planned and manipulated goal seeking maths was behind it (and lots of cpu time :) Time will no doubt bring out more insights and it seems inevitable that some of the more relied upon hash algorithims will be exposed as having weaknesses.

So it is not really gushing news, but the cut has been made and without attention it just may fester. So deserving of attention that I even decided to link to a much more widely viewed blog. Hashes may become unsafe!

This leads into the third part of my title. The danger of signing. Digital signitures play a very important part in todays and tomorrows financial cryptography. Not all that long ago cipherpunks were pondering the danger of dual-use digital signitures, with the risk of hash comprimise this becomes even more dangerous. That is even if you are inspecting what you are signing, there becomes the possibilty of a deliberatly modified substitue message that will hash out the same (signitures are based on message hash). This will not affect signing purley for authentication, but may cause some severe re-evaluation for authorizations.

New and better techniques, on going development in the field of cryptography and a hopefully sufficient time gap between flaw discovery and practical implementation should keep everything ticking. The lesson, if indeed there is one, is to never assume any one piece is unbreakable. Not only careful coding is required but care in the whole crypto-system is required. For example by implementing an inteligent scanning of the plain-text prior to signing of its hash, and making that signiture known to be true only if the plain text conforms to those standards, then the sneaking in of a malicious text to distort the hash becomes that much harder.

Overall, the threat is still a way off. New systems should however take note and beware.

Who Are You?

For those in Australia and can make it to Melboure, this is worth a visit.

AUUG'2004 is the annual technical conference of AUUG, the Australian UNIX and Open Systems User Group. AUUG is the Australian organisation for UNIX and Open Source Professionals.
The theme of the conference is "Who Are You?" The conference will emphasise issues of identity and authentication on the Internet, along with issues of computer security and anonymity.
The conference will be on Wednesday 1st to Friday 3rd September 2004, preceeded by 3 days of tutorials on Sunday 29th to Tuesday 31st August 2004.
The conference will be held at the Duxton Hotel, Flinders St, Melbourne.
The ubiquity of the Internet has created a raft of computer security problems: unauthorised access, email forgery, SPAM, fraudulent "phishing", denial of service, loss of privacy. Many of these problems stem from not being sure that people (or computers or programs) are who they say they are.

If your not tempted by experts from HP, Sun and some Universities, then titles of talks like Privacy, Anonymity, and Security on the Internet and How To Eat An Elephant should get you interested.

Happy Eating.