SHA-1 hashing is broken
by Ragnar Schierholz
It seems as if a research team at Shandong University in China Institute for Applied Information Processing and Communications has found a way to break the SHA-1 hashing algorithm. The team has published a paper describing collision searches on SHA-1 hashes at the Crpyto2006 conference and a short note on the results can be found here (PDF, 48kB) here.
Basically, the algorithm finds an appendix to an arbitrary message which results in a collision with an authentic message, allowing to manipulate any authentic message while maintaining a valid signature.
Now I am wondering: does this make highly structured content (e.g. valid XML documents) less vulnerable against these attacks, since an appendices would hardly go unnoticed?
Update: Thanks Richard for pointing this out, the link really pointed to the outdated material. Sorry for the confusion. The talk at Crypto 2006 is actually a new approach.
Comments
This seems to be old news. SHA-1 was reported to be cracked in February 2005 (and I blogged about it back then, but no pimping from me today!) and the pdf linked above is also from then. None of the authors of that paper appear to be listed as presenters at Crypto2006, though one is a session chair.
As Richard pointed out, the paper linked to originally really is from Feb 2005. I corrected the link and the "citation" in the post. Sorry for any confusion.
XML documents are not less vulnerable than plain text documents. The "hash correction" data can be inserted anywhere. This means that you can also put it into a comment or somewhere else where it doesn't effect the integrity.
Just switch to SHA-256 or SHA-512.
Timo, point taken, comments allow for plain text to be inserted without violating the XML structure. But where else can you simply insert gibberish into an XML document without violating well-formedness or at least validity?
Timo, actually comments are ignored by default in XML Signature.
The canonicalized XML document is signed. By canonicalization, the logical representation of the document (the XML tree with the XML elements as allowed or required for well-formedness and/or validity) is transformed into a physical representation of the document (the text stream of characters forming the document). This is done by a standardized algorithm (see XML Canonicalization Algorithms). XML Signature actually can use different canonicalization methods, default is a canonicalization which ignores comments. Therefore, anything inserted into a comment is not considered when computing the hash, thus it is not helpful in creating a collision.
There are differences in how hashing/encryption algorithms and document object models are developed. Hashing algorithms are based on mathematical theories and usually implemented by security experts and they are constantly tested for theoretical and practical weaknesses by security experts. XML parsers are not developed by security experts, and they may be tested for integrity-related bugs, but not necessarily in a security-relevant manner.
To show you how major this difference is: A typical SHA-1 implementation is not longer than 200 lines of code. The Xerces Java XML Parser has 200.000 lines of code. It is impossible to prove the correct function of such a huge piece of software, and you definitely don't want your security model to rely on it.
