Hanno's blog

At least since 2005 it's well known that the cryptographic hash function SHA1 is seriously flawed and it's only a matter of time until it will be broken. However, it's still widely used and it can be expected that it'll be used long enough to allow real world attacks (as it happened with MD5 before). The NIST (the US National Institute of Standards and Technology) suggests not to use SHA1 after 2010, the german BSI (Bundesamt für Sicherheit in der Informationstechnik) says they should've been fadet out by the end of 2009.

The probably most widely used encryption protocol is SSL. It is a protocol that can operate on top of many other internet protocols and is for example widely used for banking accounts.

As SSL is a pretty complex protocol, it needs hash functions at various places, here I'm just looking at one of them. The signatures created by the certificate authorities. Every SSL certificate is signed by a CA, even if you generate SSL certificates yourself, they are self-signed, meaning that the certificate itself is it's own CA. From what I know, despite the suggestions mentioned above no big CA will give you certificates signed with anything better than SHA1. You can check this with:
openssl x509 -text -in [your ssl certificate]
Look for "Signature Algorithm". It'll most likely say sha1WithRSAEncryption. If your CA is good, it'll show sha256WithRSAEncryption. If your CA is really bad, it may show md5WithRSAEncryption.

When asking for SHA256 support, you often get the answer that the software still has problems, it's not ready yet. When asking for more information I never got answers. So I tried it myself. On an up-to-date apache webserver with mod_ssl, it was no problem to install a SHA256 signed certificate based on a SHA256 signed test CA. All browsers I've tried (Firefox 3.6, Konqueror 4.3.5, Opera 10.10, IE8 and even IE6) had no problem with it. You can check it out at https://sha2.hboeck.de/. You will get a certificate warning (obviously, as it's signed by my own test CA), but you'll be able to view the page. If you want to test it without warnings, you can also import the CA certificate.

I'd be interested if this causes any problems (on server or on client side), so please leave a comment if you are aware of any incompatibilities.

Update: By request in the comments, I've also created a SHA512 testcase.

Update 2: StartSSL wrote me that they tried providing SHA256-certificates about a year ago and had too many problems - it wasn't very specific but they mentioned that earlier Windows XP and Windows 2003 Server versions may have problems.

I just read an article about the recent wordpress vulnerability (if you're running wordpress, please update to 2.5.1 NOW), one point raised my attention: The attack uses MD5-collisions.

I wrote some articles about hash collisions a while back. Short introduction: A cryptographic hash-function is a function where you can put in any data and you'll get a unique, fixed-size value. »unique« in this case scenario means that it's very hard to calculate two different strings matching to the same hash value. If you can do that, the function should be considered broken.

The MD5 function got broken some years back (2004) and it's more or less a question of time when the same will happen to SHA1. There have been scientific results claiming that an attacker with enough money could easily create a supercomputer able to create collisions on SHA1. The evil thing is: Due to the design of both functions, if you have one collision, you can create many more easily.

Although those facts are well known, SHA1 is still widely used (just have a look at your SSL connections or at the way the PGP web of trust works) and MD5 isn't dead either. The fact that a well-known piece of software got issues depending on hash collisions should raise attention. Pretty much all security considerations on cryptographic protocols rely on the collision resistance of hash functions.

The NIST plans to define new hash functions until 2012, until then it's probably a safe choice to stick with SHA256 or SHA512.

Die Chaosdays in Darmstadt sind vorbei, zum Bloggen bin ich nicht viel gekommen.

Ein paar spannende Vorträge warn dabei, Samstag einmal Pylon zu UTF-8, was mir evtl. vermitteln konnte, warum das bei mir immer noch weit entfernt von optimal funktioniert und an welchen Konfigurationsschrauben ich da noch drehen könnte. Anschließend ein sehr interessanter Vortrag zum Absichern von Linux-Servern, zwar hatte der Autor an einigen Stellen Ansätze, die ich nicht wirklich nachvollziehen konnte (http-traffic nach außem sperren - mein Einwand zwecks Trackbacks und XML-RPC erzeugte dann etwas komische Vorschläge a la bestimmte IPs zulassen), aber durchaus eine größere Menge von möglichen Maßnahmen, die ich noch nicht kannte und mal genauer unter die Lupe nehmen werde, ob sie für den schokokeks praktikabel sind.
Samstag abend gab es einen extrem coolen Liveact mit Akkustikgitarre und Gameboy.

Heute blieb ich noch bis zum Vortrag von Rüdiger Weis über Hashes, bei dem ich leider etwas das Gefühl hatte, »Rüdi, leg mal ne neue Platte auf«. Den fast identischen Vortrag hatte ich bereits auf dem Kongress und der whatthehack gehört, mich hätte insb. eine etwas genauere Beleuchtung der jüngsten Ergebnisse der Crypto-Konferenz interessiert.

Desweiteren hab ich 4 Laptops anderer Besucher mit compiz/aiglx versorgt, sowie einen Lightningtalk dazu gehalten (Slides OpenDocument, Slides PDF). Hatte das erste Mal das Vergnügen, mir einen Macbook näher anzuschauen (also, ein nettes Spielzeug isses ja, aber kann man damit eigentlich auch arbeiten? Dem fehlen ja nicht nur Maustasten sondern auch ganz viele Tasten auf der Tastatur), desweiteren sponnen wir einige Ideen, wie man die Bewegungs- und Schocksensoren in Apple- und IBM-Hardware kreativ nutzen kann, vielleicht später mehr dazu.