Practice Cryptography!
Even with all of the cryptologic and cryptographic technology that has existed in the world for the past 60 years, we still don't really know what encryption is good for or how to use it -- or, more importantly, why it's important. Maybe it's time for people and coders to actually start practicing how to use it, like any other skill.Saturday, April 15, 2006
What this latest example shows us (Another Big Problem in Cryptography)
Among other things, this latest example shows us that we need to not put all our eggs in one basket. For a long time, I've suggested running both SHA-1 and MD5 checksums on data (for both validation and HMAC purposes), then XORing the first 128 bits of the SHA-1 result with the MD5 result. This way, even if one or the other algorithm was compromised, the other algorithm would be able to maintain the security until something else was released.
However, this also means that we need to look for ways to make our encryption systems stepping-stoneable -- meaning, we need to find ways to migrate data from older systems (such as DES or 3DES) to newer systems (such as AES) -- and if flaws are found in AES, then we need to have a means of modifying it in-place to another algorithm.
This should be done, ideally, without ever having to decrypt the actual data, merely transform it where it exists. Is this possible? I haven't got the faintest idea. But it's something that needs to be at least examined.
However, this also means that we need to look for ways to make our encryption systems stepping-stoneable -- meaning, we need to find ways to migrate data from older systems (such as DES or 3DES) to newer systems (such as AES) -- and if flaws are found in AES, then we need to have a means of modifying it in-place to another algorithm.
This should be done, ideally, without ever having to decrypt the actual data, merely transform it where it exists. Is this possible? I haven't got the faintest idea. But it's something that needs to be at least examined.
Just a note... if you're still using MD5, STOP NOW.
http://cryptography.hyperlink.cz/MD5_collisions.html
Describes a means of generating an MD5 collision within 31 seconds on a 1.6GHz Pentium system.
Thanks to Phyxis, who pointed me to the entry on Furrbear's journal.
Describes a means of generating an MD5 collision within 31 seconds on a 1.6GHz Pentium system.
Thanks to Phyxis, who pointed me to the entry on Furrbear's journal.
Archives
2006-02-12 2006-02-19 2006-02-26 2006-03-05 2006-03-12 2006-03-19 2006-03-26 2006-04-02 2006-04-09 2006-04-16 2006-04-23 2006-07-23 2008-01-13 2008-01-20 2008-02-03 2008-02-17 2008-03-16 2008-04-06 2008-05-11
