SHA-1 flaw seen as no risk to one-time password proposal
The vulnerability in the SHA-1 one-way hash function rocked the cryptographic world
Computerworld - The vulnerability in the SHA-1 one-way hash function, which recently rocked the cryptographic world, is not seen as a threat to a new generation of one-time password products based on the encryption standard.
The Initiative for Open Authentication's (Oath) Hashed Message Authentication Code (HMAC), a one-time password (OTP) proposal based on SHA-1, is being promoted as a key technology for broadening the authentication marketplace. Analysts at The Yankee Group in Boston predict that the authentication market will grow at a 12% annual rate, almost doubling from $1.4 billion in 2004 to $2.4 billion in 2008.
A flaw in Oath's proposed OTP standard could dent that growth, but that isn't likely, said Phillip Hallam-Baker, a chief scientist at Oath sponsor VeriSign Inc. in Mountain View, Calif., and other cryptographers.
The vulnerability isn't a threat because less is better when it comes to preventing the reproduction of a hash value, Hallam-Baker said. Oath's algorithm for the one-time password truncates, or discards, bits from the 160-bit hash value produced by SHA-1, he said. Oath's OTP uses only enough bits to produce a six-digit sequential password, deleting the rest.
"To break the Oath password, you'd have to know exactly the hash bits left after truncation. Truncation greatly increases the difficulty of breaking the hash. Since we're not using all the hashed information, a hacker actually has less information available to [him]," which significantly increases the difficulty of breaking the Oath OTP, he said.
SHA-1 is an encryption algorithm developed by the U.S. National Security Agency in 1995 after a weakness was discovered in a predecessor, the Secure Hash Algorithm, or SHA.
Three Chinese cryptographers at Shandong University in February discovered the flaw when they created two different files that produced the same hash value (see story). Cryptographers refer to this type of attack on a hash as a "birthday attack" because the algorithms are frequently described by using the analogy of finding two people with the same birthday in a large crowd.
Any two people randomly selected from a crowd should have unique birthdays, just as cryptographic hashing functions should produce a unique value for every input of clear text. Further, no collisions, or identical hash values, should result from countless inputs of the same text.
The SHA-1 vulnerability demonstrated that an identical hash value could be computed about 2,000 times faster than a so-called brute-force attack, where a hacker tries every possible means, such as guessing passwords and trying various code combinations, to gain entry into a system. In cryptographic terms, finding a method that breaks a cipher faster than a
- How Four Citrix Customers Solved the Enterprise Mobility Challenge Managing mobile devices, data and all types of apps-Windows, datacenter, web and native mobile- through a single solution.
- 8 Steps to Fill the Mobile Enterprise Application Gap Traveling executives and Millennials alike expect to communicate, collaborate and access their important work applications and data from anywhere on whatever device they...
- Seattle Children's Accelerates Citrix Login Times by 500% with Cross-Tier Insight Seattle Children's is a leading research hospital with a large and growing Citrix XenDesktop deployment. With ExtraHop, the IT team at Seattle Children's...
- McKesson Makes Application Hosting for Hospitals Faster, More Efficient With ExtraHop, McKesson identified the root cause of slow Citrix XenApp application launches and adopted a more intelligent, proactive IT operations model that...
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt.
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Applications White Papers | Webcasts