当前时区为 UTC + 8 小时



发表新帖 回复这个主题  [ 8 篇帖子 ] 
作者 内容
1 楼 
 文章标题 : [译文] Debian/Ubuntu用户们,请立即修复你的密钥和证书!!!
帖子发表于 : 2008-05-15 20:47 
头像

注册: 2007-02-27 21:47
帖子: 1473
地址: GL
送出感谢: 0 次
接收感谢: 0 次
本文译自:http://isc.incidents.org/diary.html

发布日期:2008-05-15,
最后更新:2008-05-15 12:02:47 UTC
作者:Bojan Zdrnja (Version: 2)

几天以前Swa写了篇日记,关于Debian/Ubuntu 中的一个PRNG 高危安全漏洞。

今天Matt的贴告诉我们,H D Moore 在他写的一个网页中列出了他用暴力方式的破解的所有SSH 1024, 2048 和 4096-bit RSA 密钥。

这显然极其严重:如果你正在用Debian或 Ubuntu系统,而且正在使用密钥进行SSH认证(讽刺的是,这东西正是我们一直推荐使用的!),而这些密钥是在2006年9月──2008年3月13日之间产生的,那么你的系统就容易受到攻击。换句话说,这些安全体系可能很容易被暴力破解。更糟的是,H D Moore说他不久就会发布一个暴力破解工具,攻击者用此工具可以轻易获得使用公钥认证的任何SSH账号的访问权。

但这还没有完。记住,在易受攻击的系统上的任何加密材料均可能受到侵害。如果你在Debian或Ubuntu这样的系统中生成SSL密钥,你就必须重新生成证书并用其重新登录。现在,攻击者甚至可以解密任何旧的SSH会话。

Debian项目的伙计们发布了一个工具,可以检测弱的密钥(并不是100%正确,因为工具中包含的黑名单有可能不完全)。可以从http://security.debian.org/project/extra/dowkd/dowkd.pl.gz下载这个工具。

最末一行是:这个实在是太。。。严重,太。。。恐怖了。 请检查你的系统,确认打了补丁并重新生成了所有潜在的弱加密材料。

更新:

如果这与几天前我们报告的日渐增多的SSH攻击相关的话,还有几个问题(见http://isc.sans.org/diary.html?storyid=4408)。在这个时刻,我们觉得这只是个巧合。任何情况下你都可以通过检查日志的方式帮助我们────如果攻击者正在试图暴力破解登录密码,那这些攻击与此无关,但如果你看到有人尝试破解密钥认证,那确是最高级的红色警报了。

网站证书的情况更糟:公钥的问题正在于它是“公”钥(the public key is really that: public)。所以,从Debian中生成的弱密钥,攻击者可能得到(derive)私钥并建立一个中间人(Man-In-The-Middle)攻击而浏览器中不会有任何问题!实在是太恐怖了,不禁让人猜想,究竟有多少人用Debian生成其SSL密钥?

如Swa所说,有两个基本的可能情况:

* 公钥为众所周知 -> 根本无需暴力破解,攻击者可用私钥进入;
* 找不到公钥 -> 需要暴力破解大概260K的密钥


_________________
Intel Pentium Dual Core 2.1G, 250G, DDRII 3G, ATI Radeon HD 4330
LMDE


页首
 用户资料  
 
2 楼 
 文章标题 :
帖子发表于 : 2008-05-15 21:11 
头像

注册: 2006-03-25 10:36
帖子: 1233
送出感谢: 0 次
接收感谢: 0 次
据说是一个源代码维护人员删除了一个用于生成密钥的种子而造成的。管理问题没有及时发现。?


_________________
让自由的声音传传传传传传传传天下。。。
Spread the words of freedom.


页首
 用户资料  
 
3 楼 
 文章标题 :
帖子发表于 : 2008-05-15 21:19 
头像

注册: 2006-12-23 13:46
帖子: 9203
地址: Azores Islands
送出感谢: 0 次
接收感谢: 1
Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.



It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.


Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected


_________________
no security measure is worth anything if an attacker has physical access to the machine


页首
 用户资料  
 
4 楼 
 文章标题 :
帖子发表于 : 2008-05-15 21:22 
头像

注册: 2006-12-23 13:46
帖子: 9203
地址: Azores Islands
送出感谢: 0 次
接收感谢: 1
http://forum.ubuntu.org.cn/viewtopic.ph ... highlight=

linux一般都是安全升级发布后,漏洞才广为人知。


引用:

Debian and Ubuntu users: fix your keys/certificates NOW
Published: 2008-05-15,
Last Updated: 2008-05-15 12:02:47 UTC
by Bojan Zdrnja (Version: 2)


Couple of days ago Swa posted a diary about a critical Debian/Ubuntu PRNG security vulnerability.

Today Matt wrote in to let us know that H D Moore posted a web page containing all SSH 1024, 2048 and 4096-bit RSA keys he brute forced.

It is obvious that this is highly critical – if you are running a Debian or Ubuntu system, and you are using keys for SSH authentication (ironically, that's something we've been recommending for a long time), and those keys were generated between September 2006 and May 13th 2008 then you are vulnerable. In other words, those secure systems can be very easily brute forced. What's even worse, H D Moore said that he will soon release a brute force tool that will allow an attacker easy access to any SSH account that uses public key authentication.

But this is not all – keep in mind that ANY cryptographic material created on vulnerable systems can be compromised. If you generated SSL keys on such Debian or Ubuntu systems, you will have to recreate the certificates and get them signed again. An attacker can even decrypt old SSH sessions now.

The Debian project guys released a tool that can detect weak keys (it is not 100% correct though as the blacklist in the tool can be incomplete). You can download the tool from http://security.debian.org/project/extr ... owkd.pl.gz.


The bottom line is: this is very, very, very serious and scary. Please check your systems and make sure that you are both patched, and that you regenerated any potentially weak cryptographic material.




There have been some questions if this is related to the increase of SSH attacks we reported about couple of days ago (see http://isc.sans.org/diary.html?storyid=4408). At this point in time we think it is just a coincidence. In any case, you can help us by checking your logs – if the attackers are brute forcing password logins then the attack has nothing to do with this, but if you are seeing key authentication attempts then it is red alert.

The situation with web certificates is even worse – the public key is really that: public. So, for a weak key generated on Debian, an attacker could derive the private key and construct a Man-In-The-Middle attack without any problems in the browser! Very very scary. Makes one wonder how many people used Debian to generate their SSL keys.

As Swa said, there are basically 2 scenarios:

* the public key is known publicly -> no brute force needed, the attackers walk in private key in hand
* the public key isn't found -> brute force of some 260K keys needed.


_________________
no security measure is worth anything if an attacker has physical access to the machine


页首
 用户资料  
 
5 楼 
 文章标题 :
帖子发表于 : 2008-05-15 23:31 
头像

注册: 2008-02-06 13:30
帖子: 172
地址: 浙江嘉兴
送出感谢: 0 次
接收感谢: 0 次
skyx 写道:
http://forum.ubuntu.org.cn/viewtopic.php?t=123850&start=0&postdays=0&postorder=asc&highlight=

linux一般都是安全升级发布后,漏洞才广为人知。


引用:

Debian and Ubuntu users: fix your keys/certificates NOW
Published: 2008-05-15,
Last Updated: 2008-05-15 12:02:47 UTC
by Bojan Zdrnja (Version: 2)


Couple of days ago Swa posted a diary about a critical Debian/Ubuntu PRNG security vulnerability.

Today Matt wrote in to let us know that H D Moore posted a web page containing all SSH 1024, 2048 and 4096-bit RSA keys he brute forced.

It is obvious that this is highly critical – if you are running a Debian or Ubuntu system, and you are using keys for SSH authentication (ironically, that's something we've been recommending for a long time), and those keys were generated between September 2006 and May 13th 2008 then you are vulnerable. In other words, those secure systems can be very easily brute forced. What's even worse, H D Moore said that he will soon release a brute force tool that will allow an attacker easy access to any SSH account that uses public key authentication.

But this is not all – keep in mind that ANY cryptographic material created on vulnerable systems can be compromised. If you generated SSL keys on such Debian or Ubuntu systems, you will have to recreate the certificates and get them signed again. An attacker can even decrypt old SSH sessions now.

The Debian project guys released a tool that can detect weak keys (it is not 100% correct though as the blacklist in the tool can be incomplete). You can download the tool from http://security.debian.org/project/extr ... owkd.pl.gz.


The bottom line is: this is very, very, very serious and scary. Please check your systems and make sure that you are both patched, and that you regenerated any potentially weak cryptographic material.




There have been some questions if this is related to the increase of SSH attacks we reported about couple of days ago (see http://isc.sans.org/diary.html?storyid=4408). At this point in time we think it is just a coincidence. In any case, you can help us by checking your logs – if the attackers are brute forcing password logins then the attack has nothing to do with this, but if you are seeing key authentication attempts then it is red alert.

The situation with web certificates is even worse – the public key is really that: public. So, for a weak key generated on Debian, an attacker could derive the private key and construct a Man-In-The-Middle attack without any problems in the browser! Very very scary. Makes one wonder how many people used Debian to generate their SSL keys.

As Swa said, there are basically 2 scenarios:

* the public key is known publicly -> no brute force needed, the attackers walk in private key in hand
* the public key isn't found -> brute force of some 260K keys needed.


:D


页首
 用户资料  
 
6 楼 
 文章标题 :
帖子发表于 : 2008-05-16 9:35 
头像

注册: 2006-12-23 13:46
帖子: 9203
地址: Azores Islands
送出感谢: 0 次
接收感谢: 1
虽然这次只是一个系统漏洞,并不是算法本身的问题

但任何一个公开密码体制的加密算法,都要求是理论上算法不可逆,但现实中,不可逆算法都存在一个lifeclyce.

这让我想起了几年前md5被我国数学家破解时造成的轰动


SHA-1 added to list of "accomplishments"

TAIPEI—In five years, the U.S. government will cease to use SHA-1 (Secure Hash Algorithm) and convert to a new and more advanced computer data encryption, according to the article "Security Cracked!" from New Scientist . The reason for this change is that 41-years old associate professor Wang Xiaoyun of Beijing's Tsinghua University and Shandong University of Technology has already cracked SHA-1.

According to a Beijing digest, this SHA-1 encryption includes the world's gold standard Message-Digest algorithm 5 (MD5). Before Professor Wang cracked it, the MD5 could only be deciphered by today's fastest supercomputer running codes for more than a million years.

However, professor Wang Xiaoyun, a graduate of Shandong University of Technology's mathematics department, and her research team obtained results by using ordinary personal computers.

In early 2005, Wang and her research team announced that they had succeeded in cracking SHA-1. In addition to the U.S. government, well known companies like Microsoft, Sun, Atmel, and others have also announced that they will no longer be using SHA-1.

Two years ago, Wang convened an international data encryption conference to announce that her team had successfully cracked the four world-class standards of data encryption algorithms of MD5, HAVAL-1 28, MD4 and RIPEMD within 10 years.

A few months later, she then cracked the even more advanced and difficult SHA-1.

According to the article, Hash was Wang's area of research. Hash is the basis of MD5 and SHA-1, the two most extensive data encryption algorithms now used in the world.

These two main algorithms are currently the crucial technology that electronic signatures and many other password securities use throughout the international community. They are widely used in banking, securities, and e-commerce. SHA-1 has been recognized as the cornerstone for modern Internet security.

According to the article, in the early stages of Wang's research, there were other data encryption researchers who tried to crack it. However, none of them succeeded. This is why in 15 years Hash research had become the domain of hopeless research in many scientists' minds.

Wang's method of cracking the encryptions differs from all others. Although encryption analysis usually cannot be done without the use of computers, according to Wang, the computer only assisted in cracking the algorithm. Most of the time, she calculated manually, and manually designed the methods.

Wang said, "Hackers crack passwords with bad intentions. I hope efforts to protect against password theft will benefit [from this]. Password analysts work to evaluate the security of data encryption and to search for even more secure encryption algorithms."

She added, "On the day that I cracked SHA-1, I went out to eat. I was very excited. I knew I was the only person who knew this world-class secret."

Within ten years, Wang cracked the five biggest names in data encryption. Many people would think the life of this scientist must be monotonous. However she said, "That ten years was a very relaxed time for me."

During her work, she bore a daughter and cultivated a balcony full of flowers. The only mathematics related habit in her life is how she remembers the license plates of taxi cabs.

Click here to read the original article in Chinese

Posted by michaelyta at 12:08 AM

Labels: encryption, security, Security Crack, SHA-1

2 comments:

Yozons said...

Whether this story is factual or not, SHA-1 is not used for encryption. It's a hash. In electronic signatures that use digital signature technology, the SHA-1 hash (a "unique" fingerprint of a document, so to speak) is then encrypted using algorithms like RSA.

To "crack" SHA-1 would mean that the researcher could find a substitute data stream (document for most electronic signatures) that would also hash to the same value. Would this alternative document make any sense? This is very unlikely.

If you sign a document that says, "I own you $10." and create an SHA-1 hash (resulting in 20 bytes of data), it would be very tricky to create an alternative that would have any meaning. If the "cracked SHA-1" were "adfakj;jafasdf" it would not matter as that would not be electronically signed. To create a new plaintext that hashes to the same value and makes sense has never been shown.

Further, this "encryption crack" has never shown that given an SHA-1 hash, that the plaintext can be re-created, at least not unless starting with a very well known document.

For example, most contracts are very similar and only change in a few areas, like name, address, quantity, price... Therefore, if you had the hash, you could generate the various combinations of that document, not worrying about the parts that are always the same, and find a matching document.

But in electronic signatures, the plaintext document generally is not a secret, though it could be confidential like most business documents. That is, most people do not hide the content, and many even print them out or store them in the clear because people want to read those contracts. They are not really secret.

But, to forge the digital signature, they'd have to discover the RSA private key (in this example), not SHA-1, as the plaintext is already known.

At any rate, the industry is already moving towards more complex hashing algorithms, but this exploit has yet to be proven to be practical by any stretch of the imagination.
January 19, 2007 6:44 PM
michaelyta said...

Thanks a lot for the information, you make me curious to search more about the subject.

The attack is not trying to crack the digital signature of a document but it is proving that it is not a "fingerprint", it is a "collision attack".

you will find in the below attack note the collision examples for SHA-0 and SHA-1
The examples are not real messages but the attack is not mature yet.

the SHA-1 attack note
http://theory.csail.mit.edu/~yiqun/shanote.pdf

For more information about the attack see the interview with the "attacker",
http://news.zdnet.com/2100-1009_22-5598536.html

For people who need more information about SHA Hash functions:
http://en.wikipedia.org/wiki/SHA-1













引用:
004年8月17日的美国加州圣巴巴拉,正在召开的国际密码学会议(Crypto’2004)安排了三场关于杂凑函数的特别报告。在国际著名密码学家Eli Biham和Antoine Joux相继做了对SHA-1的分析与给出SHA-0的一个碰撞之后,来自山东大学的王小云教授做了破译MD5、HAVAL-128、 MD4和RIPEMD算法的报告。在会场上,当她公布了MD系列算法的破解结果之后,报告被激动的掌声打断。王小云教授的报告轰动了全场,得到了与会专家的赞叹。报告结束时,与会者长时间热烈鼓掌,部分学者起立鼓掌致敬,这在密码学会议上是少见的盛况。王小云教授的报告缘何引起如此大的反响?因为她的研究成果作为密码学领域的重大发现宣告了固若金汤的世界通行密码标准MD5的堡垒轰然倒塌,引发了密码学界的轩然大波。会议总结报告这样写道:“我们该怎么办?MD5被重创了;它即将从应用中淘汰。SHA-1仍然活着,但也见到了它的末日。现在就得开始更换SHA-1了。”

关键词:碰撞=漏洞=别人可以伪造和冒用数字签名。
Hash函数与数字签名(数字手印)
HASH函数,又称杂凑函数,是在信息安全领域有广泛和重要应用的密码算法,它有一种类似于指纹的应用。在网络安全协议中,杂凑函数用来处理电子签名,将冗长的签名文件压缩为一段独特的数字信息,像指纹鉴别身份一样保证原来数字签名文件的合法性和安全性。在前面提到的SHA-1和MD5都是目前最常用的杂凑函数。经过这些算法的处理,原始信息即使只更动一个字母,对应的压缩信息也会变为截然不同的“指纹”,这就保证了经过处理信息的唯一性。为电子商务等提供了数字认证的可能性。
安全的杂凑函数在设计时必须满足两个要求:其一是寻找两个输入得到相同的输出值在计算上是不可行的,这就是我们通常所说的抗碰撞的;其二是找一个输入,能得到给定的输出在计算上是不可行的,即不可从结果推导出它的初始状态。现在使用的重要计算机安全协议,如SSL,PGP都用杂凑函数来进行签名,一旦找到两个文件可以产生相同的压缩值,就可以伪造签名,给网络安全领域带来巨大隐患。
MD5就是这样一个在国内外有着广泛的应用的杂凑函数算法,它曾一度被认为是非常安全的。然而,王小云教授发现,可以很快的找到MD5的“碰撞”,就是两个文件可以产生相同的“指纹”。这意味着,当你在网络上使用电子签名签署一份合同后,还可能找到另外一份具有相同签名但内容迥异的合同,这样两份合同的真伪性便无从辨别。王小云教授的研究成果证实了利用MD5算法的碰撞可以严重威胁信息系统安全,这一发现使目前电子签名的法律效力和技术体系受到挑战。因此,业界专家普林斯顿计算机教授Edward Felten等强烈呼吁信息系统的设计者尽快更换签名算法,而且他们强调这是一个需要立即解决的问题。

国际讲坛 王氏发现艳惊四座
面对Hash函数领域取得的重大研究进展,Crypto 2004 会议总主席StorageTek高级研究员Jim Hughes 17 日早晨表示,此消息太重要了,因此他已筹办该会成立24年来的首次网络广播(Webcast )。Hughes在会议上宣布:“会中将提出三份探讨杂凑碰撞(hash collisions )重要的研究报告。”其中一份是王小云等几位中国研究人员的研究发现。17日晚,王小云教授在会上把他们的研究成果做了宣读。这篇由王小云、冯登国、来学嘉、于红波四人共同完成的文章,囊括了对MD5、HAVAL-128、 MD4和RIPEMD四个著名HASH算法的破译结果。在王小云教授仅公布到他们的第三个惊人成果的时候,会场上已经是掌声四起,报告不得不一度中断。报告结束后,所有与会专家对他们的突出工作报以长时的热烈掌声,有些学者甚至起立鼓掌以示他们的祝贺和敬佩。当人们掌声渐息,来学嘉教授又对文章进行了一点颇有趣味的补充说明。由于版本问题,作者在提交会议论文时使用的一组常数和先行标准不同;在会议发现这一问题之后,王小云教授立即改变了那个常数,在很短的时间内就完成了新的数据分析,这段有惊无险的小插曲倒更加证明了他们论文的信服力,攻击方法的有效性,反而凸显了研究工作的成功。
会议结束时,很多专家围拢到王小云教授身边,既有简短的探讨,又有由衷的祝贺,褒誉之词不绝。包含公钥密码的主要创始人R. L. Rivest和A. Shamir在内的世界顶级的密码学专家也上前表示他们的欣喜和祝贺。
国际密码学专家对王小云教授等人的论文给予高度评价。
MD5的设计者,同时也是国际著名的公钥加密算法标准RSA的第一设计者R.Rivest在邮件中写道:“这些结果无疑给人非常深刻的印象,她应当得到我最热烈的祝贺,当然,我并不希望看到MD5就这样倒下,但人必须尊崇真理。”
Francois Grieu这样说:“王小云、冯登国、来学嘉和于红波的最新成果表明他们已经成功破译了MD4、MD5、HAVAL-128、RIPEMD-128。并且有望以更低的复杂度完成对SHA-0的攻击。一些初步的问题已经解决。他们赢得了非常热烈的掌声。”
另一位专家Greg Rose如此评价:“我刚刚听了Joux和王小云的报告,王所使用的技术能在任何初始值下用2^40次hash运算找出SHA-0的碰撞。她在报告中对四种HASH函数都给出了碰撞,她赢得了长时间的起立喝彩,(这在我印象中还是第一次)。…… 她是当今密码学界的巾帼英雄。……(王小云教授的工作)技术虽然没有公开,但结果是无庸质疑的,这种技术确实存在。…… 我坐在Ron Rivest前面,我听到他评论道:‘我们不得不做很多的重新思考了。’”

石破惊天 MD5堡垒轰然倒塌
一石击起千层浪,MD5的破译引起了密码学界的激烈反响。专家称这是密码学界近年来“最具实质性的研究进展”,各个密码学相关网站竞相报导这一惊人突破。
MD5破解专项网站关闭
MD5破解工程权威网站http://www.md5crk.com/ 是为了公开征集专门针对MD5的攻击而设立的,网站于2004年8月17日宣布:“中国研究人员发现了完整MD5算法的碰撞;Wang, Feng, Lai与Yu公布了MD5、MD4、HAVAL-128、RIPEMD-128几个 Hash函数的碰撞。这是近年来密码学领域最具实质性的研究进展。使用他们的技术,在数个小时内就可以找到MD5碰撞。……由于这个里程碑式的发现, MD5CRK项目将在随后48小时内结束”。
对此,http://www.readyresponse.org主页专门转载了该报道http://www.aspenleaf.com/distributed/distrib-recent.html和几个其它网站也进行了报道。
权威网站相继发表评论或者报告这一重大研究成果
经过统计,在论文发布两周之内,已经有近400个网站发布、引用和评论了这一成果。国内的许多新闻网站也以“演算法安全加密功能露出破绽密码学界一片哗然”为题报道了这一密码学界的重大事件。(报导见http: //www.technewsworld.com/perl/board/mboard.pl?board=lnitalkback&thread =895&id=896&display=1&tview=expanded&mview=flat,该消息在各新闻网站上多次转载。)

东方神韵  MD5终结者来自中国
MD5破解工作的主要成员王小云教授是一个瘦弱、矜持的女子,厚厚的镜片透射出双眸中数学的灵光。她于1990年在山东大学师从著名数学家潘承洞教授攻读数论与密码学专业博士,在潘先生、于秀源、展涛等多位著名教授的悉心指导下,她成功将数论知识应用到密码学中,取得了很多突出成果,先后获得863项目资助和国家自然科学基金项目资助,并且获得部级科技进步奖一项,撰写论文二十多篇。王小云教授从上世纪90年代末开始进行HASH函数的研究,她所带领的于红波、王美琴、孙秋梅、冯骐等组成的密码研究小组,同中科院冯登国教授,上海交大来学嘉等知名学者密切协作,经过长期坚持不懈的努力,找到了破解HASH 函数的关键技术,成功的破解了MD5和其它几个HASH函数。
近年来她的工作得到了山东大学和数学院领导的大力支持,特别投资建设了信息安全实验室。山东大学校长展涛教授高度重视王小云教授突出的科研成果。 2004年6月山东大学领导听取王小云教授的工作介绍后,展涛校长亲自签发邀请函邀请国内知名信息安全专家参加2004年7月在威海举办的“山东大学信息安全研究学术研讨会”,数学院院长刘建亚教授组织和主持了会议,会上王小云教授公布了MD5等算法的一系列研究成果,专家们对她的研究成果给予了充分的肯定,对其坚持不懈的科研态度大加赞扬。一位院士说,她的研究水平绝对不比国际上的差。这位院士的结论在时隔一个月之后的国际密码会上得到了验证,国外专家如此强烈的反响表明,我们的工作可以说不但不比国际上的差,而且是在破解HASH函数方面已领先一步。加拿大CertainKey公司早前宣布将给予发现 MD5算法第一个碰撞人员一定的奖励,CertainKey的初衷是利用并行计算机通过生日攻击来寻找碰撞,而王小云教授等的攻击相对生日攻击需要更少的计算时间。

数字认证 你的未来不是梦
由于MD5的破译,引发了关于MD5产品是否还能够使用的大辩论。在麻省理工大学Jeffrey I. Schiller教授主持的个人论坛上,许多密码学家在标题为“Bad day at the hash function factory”的辩论中发表了具有价值的意见(http: //jis.mit.edu/pipermail/saag/2004q3/000913.html)。这次国际密码学会议的总主席Jimes Hughes发表评论说“我相信这(破解MD5)是真的,并且如果碰撞存在,HMAC也就不再是安全的了,…… 我认为我们应该抛开MD5了。” Hughes建议,程序设计人员最好开始舍弃MD5。他说:“既然现在这种算法的弱点已暴露出来,在有效的攻击发动之前,现在是撤离的时机。”
同样,在普林斯顿大学教授Edwards Felton的个人网站(http://www.freedom-to-tinker.com/archives/000664.html)上,也有类似的评论。他说:“留给我们的是什么呢?MD5已经受了重伤;它的应用就要淘汰。SHA-1仍然活着,但也不会很长,必须立即更换SHA-1,但是选用什么样的算法,这需要在密码研究人员达到共识。”
密码学家Markku-Juhani称“这是HASH函数分析领域激动人心的时刻。(http://www.tcs.hut.fi/~mjos/md5/)”
而著名计算机公司SUN的LINUIX专家Val Henson则说:“以前我们说"SHA-1可以放心用,其他的不是不安全就是未知", 现在我们只能这么总结了:"SHA-1不安全,其他的都完了"。
针对王小云教授等破译的以MD5为代表的Hash函数算法的报告,美国国家技术与标准局(NIST)于2004年8月24日发表专门评论,评论的主要内容为:“在最近的国际密码学会议(Crypto 2004)上,研究人员宣布他们发现了破解数种HASH算法的方法,其中包括MD4,MD5,HAVAL-128,RIPEMD还有 SHA-0。分析表明,于1994年替代SHA-0成为联邦信息处理标准的SHA-1的减弱条件的变种算法能够被破解;但完整的SHA-1并没有被破解,也没有找到SHA-1的碰撞。研究结果说明SHA-1的安全性暂时没有问题,但随着技术的发展,技术与标准局计划在2010年之前逐步淘汰SHA-1,换用其他更长更安全的算法(如SHA-224、SHA-256、SHA-384和SHA-512)来替代。”
详细评论见:http://csrc.nist.gov/hash_standards_comments.pdf
2004年8月28日,十届全国人大常委会第十一次会议表决通过了电子签名法。这部法律规定,可靠的电子签名与手写签名或者盖章具有同等的法律效力。电子签名法的通过,标志着我国首部“真正意义上的信息化法律”已正式诞生,将于2005年4月1日起施行。专家认为,这部法律将对我国电子商务、电子政务的发展起到极其重要的促进作用。王小云教授的发现无异于发现了信息化天空的一个惊人黑洞。我们期待着王小云教授和她的团队能够成就“女娲补天”的壮举,为人类的信息化之路保驾护航。


_________________
no security measure is worth anything if an attacker has physical access to the machine


页首
 用户资料  
 
7 楼 
 文章标题 :
帖子发表于 : 2008-05-16 13:18 
头像

注册: 2007-03-13 17:26
帖子: 2254
送出感谢: 0 次
接收感谢: 1
我看的不太明白,,这是 openssl 的漏洞还是什么?

ssh-keygen -t rsa 产生出的 rsa 密钥对有问题? 别人知道 公钥后能破解出私钥?
那 -t dsa 的有没有问题?

openssl aes-256-ecb 这个没问题吧?

也跟 gpg 的密钥对没关系吧?


页首
 用户资料  
 
8 楼 
 文章标题 :
帖子发表于 : 2008-05-16 13:41 
头像

注册: 2006-10-25 18:10
帖子: 2677
地址: 长沙
送出感谢: 0 次
接收感谢: 0 次
我如何知道我已经有了哪些密钥,我如何重新生成这些密钥?


_________________
你是自由的。别人也是。


页首
 用户资料  
 
显示帖子 :  排序  
发表新帖 回复这个主题  [ 8 篇帖子 ] 

当前时区为 UTC + 8 小时


在线用户

正在浏览此版面的用户:Sogou [Spider] 和 1 位游客


不能 在这个版面发表主题
不能 在这个版面回复主题
不能 在这个版面编辑帖子
不能 在这个版面删除帖子
不能 在这个版面提交附件

前往 :  
本站点为公益性站点,用于推广开源自由软件,由 DiaHosting VPSBudgetVM VPS 提供服务。
我们认为:软件应可免费取得,软件工具在各种语言环境下皆可使用,且不会有任何功能上的差异;
人们应有定制和修改软件的自由,且方式不受限制,只要他们自认为合适。

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
简体中文语系由 王笑宇 翻译