The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

If you haven't yet, Stop using MD-5 and SHA-1 today

Posted by Xavier Ashe on June 15, 2005

Cryptographers have found a way to snip a digital signature from one
document and attach it to a fraudulent document without invalidating
the signature and giving the fraud away.

development means that attackers could potentially forge legal
documents, load certified software with bogus code, or turn a
digitally-signed letter of recommendation into one that authorises
access to private information.

Cracks in these hash functions first surfaced in August 2004 when
Xiaoyun Wang and colleagues at the Shandong University of Technology in
China, demonstrated that two documents could be found that produced the
same hash function called MD-5.

in February 2005 Wang demonstrated the same thing – called a collision
– but with the US Government’s gold-standard algorithm SHA-1, which was considered more secure than MD-5.

Read the full article at New Scientist.


No Responses Yet to “If you haven't yet, Stop using MD-5 and SHA-1 today”

  1. Anonymous said

    “The findings rattled cryptographers, but it was still not clear that malicious attackers would be able to exploit them. Although the collisions could be used to produce two documents with the same signature, there was no way to control the content of the documents.”
    Read the article before posting


  2. Anonymous said


  3. Anonymous said

    Ok, this has been around for awhile, authentiction algorithms have been known to be duplicated or replicated before but not fully minipulated. Also, some “independent security consultant” can tell me his oppinion all he wants, went it boils down to it he can think whatever he want.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: