SHA-1 partial chosen plaintext attacks successful

So back in February, we found out that SHA-1 was gone - researchers could generate 2 plaintexts that generated the same hash. But at least the plaintexts were gibberish, meaning that while SHA-1 was broken, the break was of limited use.

Now comes a more serious blow - in a similar vein to the previously reported MD5 attacks it's now possible to choose part of the plaintext and still get the same hash. Yikes.

Quoting the article:

         Using the new method, it is possible, for example, to produce two HTML
         documents with a long nonsense part after the closing  tag, which, 
         despite slight differences in the HTML part, thanks to the adapted appendage
         have the same hash value.

Now what if I could add some nasty javascript to a web page and retain the original hash? Validating the web page with a MD5 or SHA-1 hash won't tell you of the maliciousness. Combine that with DNS redirection and you have something a bit scary. Can you say phishing attack?

We need a new hashing function, openly and publicly selected, just like AES. Moving to SHA-256 or SHA-512 are just stop-gap measures.

| 28 Aug 2006 | #