Now that SHA-1 is cracked...

Archived from groups: microsoft.public.exchange2000.connectivity,microsoft.public.inetserver.iis,microsoft.public.inetserver.iis.security,microsoft.public.windows.server.security,microsoft.public.windowsxp.security_admin (More info?)

Hi,

Now that SHA-1 is cracked I am wondering how is MS dealing with this? I am
wondering how do I create a new SSL certificate with SHA-256 or 512. Cant
seem to create one for IIS.

G.

Archived from groups: microsoft.public.exchange2000.connectivity,microsoft.public.inetserver.iis,microsoft.public.inetserver.iis.security,microsoft.public.windows.server.security,microsoft.public.windowsxp.security_admin (More info?)

In news:u5NlDBFGFHA.1084@tk2msftngp13.phx.gbl,
Matt Gibson <mattg@blueedgetech.ca> had this to say:


> SHA-1 Is not "Cracked"
>
> Read before you panic and spread FUD.
>
> Matt Gibson - GSEC

From Google:

SHA-1 cracked!:
http://www.techspot.com/story17011.html

Perhaps the OP has been reading the news?

Galen
--

"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes

Archived from groups: microsoft.public.exchange2000.connectivity,microsoft.public.inetserver.iis,microsoft.public.inetserver.iis.security,microsoft.public.windows.server.security,microsoft.public.windowsxp.security_admin (More info?)

In news:MPG.1c8456109ec808b8989ba7@msnews.microsoft.com,
Paul Adare <padare@newsguy.com> had this to say:

> Irresponsible journalism at its worst, and you obviously don't know
> enough about cryptography to understand the issues here. SHA-1 has
> not been cracked, the researchers have simply determined that rather
> than finding collisions in 2*80 they can find them with 2*69. While
> that is 2048 times easier to find a collision, SHA-1 has not been
> cracked at all. I'd suggest that rather than reading the news you
> spend some time researching cryptography.

How snide... At what point did I say that I knew anything about
cryptography??? I think, if you look at my post, all I did was point to
where the OP had gotten the information. I made no comment of the veracity
of the post, the news, nor of Matt's statement. In fact, having read a great
deal of Matt's posts in the past I tend to trust what he says. My post was
only referring to the origin of the OP's post.

Galen
--

"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes

Archived from groups: microsoft.public.exchange2000.connectivity,microsoft.public.inetserver.iis,microsoft.public.inetserver.iis.security,microsoft.public.windows.server.security,microsoft.public.windowsxp.security_admin (More info?)

In news:MPG.1c846b0c84d65075989ba8@msnews.microsoft.com,
Paul Adare <padare@newsguy.com> had this to say:


> My apologies. I meant to follow up to the OP and not to your post. Had
> the wrong one selected when I posted.

Certainly and happily accepted and understood. Your statement were correct
as it's not "cracked" just shows that there's a vulnerability that COULD (in
theory) be exploited eventually with the computers of today if I'm reading
properly. The concept is theory and the papers have not been examined by the
general community. I hope, for the 'net's sake, that if the papers are
released that they are incorrect. I do believe in full disclosure under some
circumstances, this is not one of them. I enjoy the comfort of shopping
online a bit too much and often spend a great deal of money online. My post,
I too should apologize, should have been more clear as it was in support of
Matt's statement. It was my thought at the time that people might click on
the link and read, from there they'd hopefully find out that theoretically
there's a vulnerability and that there's nothing to be concerned about at
this time and that the OP was indeed spreading FUD originally generated by
an over-eager sky-is-falling media.

In response, in theory, there's a potential vulnerability in everything you
do online or off but in an effort to not wax philosophical I'll leave it at
that. The only secure transaction is one that you make in person with cash
and even then you might be getting ripped off. The only secure computer is
one that isn't capable of being turned on. Everything else has a potential
risk be it obscure or minimal there is always a risk. With one of my
favorite quotes I will leave this... I'm not sure if it's attributable to
anyone specifically. "Security is not an application, it's a process." If
anyone knows who that should be attributed to please feel free to drop the
name off (and hopefully some sort of evidence that it was that person) in a
later post as this has been a nagging thought.

Galen

--

"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes

Archived from groups: microsoft.public.exchange2000.connectivity,microsoft.public.inetserver.iis,microsoft.public.inetserver.iis.security,microsoft.public.windows.server.security,microsoft.public.windowsxp.security_admin (More info?)

Matt Gibson wrote:
<snip A and B>
> C) Say the paper is right, and they can now break SHA-1 in ~2^53
attempts.
> What does this mean to most people? Nothing. With these attacks,
you
> cannot just get "I will give you 1 million dollars" to "I will give
you 10
> million dollars". You'd have a better chance of getting
"09sdfkj3uih3wi8"
> to hash to the same value.

Certainly true--this alleged vulnerability has no measurable effect on
signed messages. However and unfortunately, some applications use
SHA-1 as a more basic building block of their security. The most
common example, of course, is storing the hash of a password in an
accessible xml file, and authenticating the user if a hash of his input
matches the hash in the xml file. Assuming that the Chinese can do
everything they claim, and that the padding problem can likewise be
overcome, these collisions surely reduce the security of such
applications by the advertised amount.

Archived from groups: microsoft.public.exchange2000.connectivity,microsoft.public.inetserver.iis,microsoft.public.inetserver.iis.security,microsoft.public.windows.server.security,microsoft.public.windowsxp.security_admin (More info?)

On Mon, 21 Feb 2005 14:34:15 -0500, "George Spiro" <spam@spam.com>
wrote:

>Now that SHA-1 is cracked I am wondering how is MS dealing with this? I am
>wondering how do I create a new SSL certificate with SHA-256 or 512. Cant
>seem to create one for IIS.

Nice troll. Your answer is "you can't".

Jeff