SHA-1 flaw seen as no risk to one-time password proposal
The vulnerability in the SHA-1 one-way hash function rocked the cryptographic world
Computerworld - The vulnerability in the SHA-1 one-way hash function, which recently rocked the cryptographic world, is not seen as a threat to a new generation of one-time password products based on the encryption standard.
The Initiative for Open Authentication's (Oath) Hashed Message Authentication Code (HMAC), a one-time password (OTP) proposal based on SHA-1, is being promoted as a key technology for broadening the authentication marketplace. Analysts at The Yankee Group in Boston predict that the authentication market will grow at a 12% annual rate, almost doubling from $1.4 billion in 2004 to $2.4 billion in 2008.
A flaw in Oath's proposed OTP standard could dent that growth, but that isn't likely, said Phillip Hallam-Baker, a chief scientist at Oath sponsor VeriSign Inc. in Mountain View, Calif., and other cryptographers.
The vulnerability isn't a threat because less is better when it comes to preventing the reproduction of a hash value, Hallam-Baker said. Oath's algorithm for the one-time password truncates, or discards, bits from the 160-bit hash value produced by SHA-1, he said. Oath's OTP uses only enough bits to produce a six-digit sequential password, deleting the rest.
"To break the Oath password, you'd have to know exactly the hash bits left after truncation. Truncation greatly increases the difficulty of breaking the hash. Since we're not using all the hashed information, a hacker actually has less information available to [him]," which significantly increases the difficulty of breaking the Oath OTP, he said.
SHA-1 is an encryption algorithm developed by the U.S. National Security Agency in 1995 after a weakness was discovered in a predecessor, the Secure Hash Algorithm, or SHA.
Three Chinese cryptographers at Shandong University in February discovered the flaw when they created two different files that produced the same hash value (see story). Cryptographers refer to this type of attack on a hash as a "birthday attack" because the algorithms are frequently described by using the analogy of finding two people with the same birthday in a large crowd.
Any two people randomly selected from a crowd should have unique birthdays, just as cryptographic hashing functions should produce a unique value for every input of clear text. Further, no collisions, or identical hash values, should result from countless inputs of the same text.
The SHA-1 vulnerability demonstrated that an identical hash value could be computed about 2,000 times faster than a so-called brute-force attack, where a hacker tries every possible means, such as guessing passwords and trying various code combinations, to gain entry into a system. In cryptographic terms, finding a method that breaks a cipher faster than a
- A Reference Architecture for the Internet of Things The aim of this is to provide Architects and Developers of IoT projects with an effective starting point that covers the major requirements...
- REST easy: API Design, Evolution and Connection RESTful design increases API performance, reduces development effort, and minimizes operational support burden. By following a few best practices and selecting RESTful tooling,...
- The Path to Responsive IT A responsive IT team enables on-demand self-service, ticketless IT, a low cost structure & wider participation. When extending the IT team to analysts,...
- WSO2 Reduces Infrastructure Cost and Improves Agility By adopting WSO2's cloud-native multi-tenant deployment topology and offering middleware as a service, your team can reduce costs and deliver a complete solution...
- Why do you need an enterprise mobile platform? Today companies must offer great apps that run on a range of devices, and connect to an exploding set of backend data. Appcelerator...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Applications White Papers | Webcasts