|
|
When I was working at Sun Microsystems, one of my projects involved the use of a
database of crytographic hashes of all the software Sun had ever released. It
was an interesting enough project and quite easy to implement, really. I sat
down one weekend, frustrated as hell with all of the red tape that was binding
my hands from the keyboard, and wrote the whole thing in Perl.
One of the crimson straps hampering my metacarpals was was the fact that the
hashing algorithm in use - md5 - had seen recent weakening at the hands of a
pair of brilliant Chinese PhDs. The project to which I was assigned had been
amassing md5 sums for years and the powers-that-be were paranoid that they (the
cryptographic checksums) were not going to provide the security they (the
powers-that-be) had hoped. I was told to start looking into moving in the
direction of other hashing algorithms.
This is where things got dicey. Mathematically illiterate factions of the
department wanted to wait to release the project until "The Next Hashing
Algorithm" was adopted. You know, the one with no potential for collision.
Other members wanted to archive everything Sun ever created so we could just
release modern-algorithm checksums for everything as the new hash mechanisms
became available. This scheme was objectionable to many because much of Sun's
old bits had been lost forever - or at least the authoritative ones had. (Why
we were clinging to the idea of providing cryptographic hashing security on
files nobody had seen in a decade and had no hope of hashing with a new process,
I'll never understand.) Most of all, there was objection that no new algorithm
would ever be 100% secure and the entire project essentially lay in crumbles
under the feet of these Bible-beaters.
Assuming that the thing ever released, whatever they adopted in the end, I'm
sure that last week's EuroCrypt news is going to rattle a few people. Sha has
seen another, serious collision attack. The worst of the lot so far.
From day one of the arguments about algorithms, I was trying to press the idea
that in perpetuity, Sun keep a pristine copy of every file we released from that
day forward and provide a hash string for every one of them that is the
concatenation of every crypto hash that had seen official use over the years.
So the md5 sum of foo.txt might be:
aabc843f86320750995d6b9a1dec2d3c
(despite the strange string in the first 4 letters, that is a legitimate hash.)
...and your sha1 sum might be:
c1b80463ab9662ae4a82d4983dc57bfd339710a8
(and that is the same file.)
...and your sha512 sum might be:
e75bcc0fc2008a6bfffacab227c3940557c44279312175659a7d2c4585683bd89d7d7993ebb03bf\
12a05bc980b52e60db105322517c026c9d8a402fe3e2c21d0
So the secure sum would be:
(aabc......)(c1b804....)(e75bcc...)
For those who see the 'obvious' 'flaw' (separately quoted for good reason,) I
congratulate their awareness, but consider: every one of these checksums is
vulnerable to attack individually, but finding a collision in one still leaves
you with a mismatch in the other hashes.
Given the difficulty of analysis, the likelihood of the combination attack ever
succeeding is extremely low and - given the time it would take to find such an
exploit - a new, trickier, more complex algorithm would have been concatenated
to the end of this list when that analysis was done.
Yes, this is the hashing algorithm I am suggesting that the cryptographic
community adopt. Every n years (for whatever n you like) another m bits (...)
will be added to the end of the stream by a new algorithm, designed to be the
state-of-the-art in secure hashing and as different from its predecessors as
possible.
-rbarry
|