Home Tags Cryptographic Hash

Tag: Cryptographic Hash

The hijacking flaw that lurked in Intel chips is worse than...

Patch for severe authentication bypass bug won’t be available until next week.

Google kills SHA-1 with successful collision attack

It's official: The SHA-1 cryptographic algorithm has been "SHAttered." Google successfully broke SHA-1. Now what?After years of warning that advances in modern computing meant a successful collision attack against SHA-1 was imminent, a team of researchers from Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands have successfully developed the first successful SHA-1 collision.
In practical terms, SHA-1 should not be relied upon for practical security.[ 18 surprising tips for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]Modern cryptographic hash functions depend on the fact that the algorithm generates a different cryptographic hash for every file.

A hash collision refers to having two separate files with the same hash.

The fact that cryptographic weaknesses in SHA-1 make certificates using the SHA-1 algorithm potentially vulnerable to collision attacks is well-known.

The National Institute of Standards and Technology deprecated SHA-1 more than five years ago, and experts have been long urging organizations to switch to stronger hash algorithms. Up until now, the only thing going for SHA-1 was the fact that collision attacks were still expensive and theoretical.To read this article in full or to leave a comment, please click here

First Practical SHA-1 Collision Attack Arrives

Researchers unveiled the first-ever practical collision attack the cryptographic hash function SHA-1.

At death’s door for years, widely used SHA1 function is now...

Algorithm underpinning Internet security falls to first-known collision attack.

Encryption in 2016: Small victories add up

Technology development seems to gallop a little faster each year.

But there's always one laggard: encryption. Why the deliberate pace? Because a single, small mistake can cut off communications or shut down businesses. Yet there are times when you take stock—only to discover the encryption landscape seems to have transformed overnight. Now is that time.

Although the changes have been incremental over several years, the net effect is dramatic. Some of those changes began shortly after Edward Snowden's disclosures of the U.S. government’s extensive surveillance apparatus. Others are the natural result of cryptographic ideas reaching the marketplace, says Brent Waters, an associate professor at the University of Texas at Austin and the recipient of the Association for Computing Machinery’s 2015 Grace Murray Hopper Award. “Many of the new tools and applications available are based on research innovations from 2005 and 2006,” Waters says. “We are just realizing what type of crypto functionality is possible.” A step closer to an encrypted world Encrypted web traffic is the first step toward a more secure online world where attackers cannot intercept private communications, financial transactions, or general online activity. Many sites, including Google and Facebook, have turned HTTPS on by default for all users. But for most domain owners, buying and deploying SSL/TLS certificates in order to secure traffic to their sites has been a costly and complicated endeavor. Fortunately, Let’s Encrypt and its free SSL/TLS certificates have transformed the landscape, giving domain owners the tools to turn on HTTPS for their websites easily.

A nonprofit certificate authority run by the Internet Security Research Group, Let’s Encrypt is backed by such internet heavyweights as Mozilla, the Electronic Frontier Foundation, Cisco, and Akamai. How ubiquitous has HTTPS become? In October, Josh Aas, head of Let’s Encrypt and former Mozilla employee, posted a graph from Mozilla Telemetry showing that 50 percent of pages loaded that day used HTTPS, not HTTP. While the graph showed only Firefox users, the figure is still significant, because for the first time, the number of encrypted pages outnumbered unencrypted pages. NSS Labs expects the trend to continue, predicting that 75 percent of all Web traffic will be encrypted by 2019. Free certificate offerings will further accelerate adoption. By next year, the number of publicly trusted free certificates issued will likely outnumber those that are paid for, says Kevin Bocek, vice president of security strategy and threat intelligence at key-management company Venafi. Many enterprises will also start using free services. With certificate cost no longer a consideration, certificate authorities will focus on better tools to securely manage certificates and protect their keys. Speaking of certificate management, after years of warnings that SHA-1 certificates were weak and vulnerable to attack, enterprises are making steady progress toward upgrading to certificates that use SHA-2, the set of cryptographic hash functions succeeding the obsolete SHA-1 algorithm. Major browser makers, including Google, Mozilla, and Microsoft, have pledged to deprecate SHA-1 by the beginning of the year and to start blocking sites still using the older certificates.

Facebook stopped serving SHA-1 connections and saw “no measurable impact,” wrote Facebook production engineer Wojciech Wojtyniak. From May to October 2016, the use of SHA-1 on the web fell from 3.5 percent to less than 1 percent, as measured by Firefox Telemetry.

Enterprises can’t be complacent, though, since recent estimates from Venafi suggest approximately 60 million websites still rely on the insecure encryption algorithm. “We look forward to the industry's movement toward greater use of stronger certificates like SHA-256,” Wojtyniak said. Crypto is still king Cryptography has taken quite a beating over the past few months, with researchers developing cryptographic attacks such as Drown, which can be used to decrypt TLS connections between a user and a server if the server supports SSLv2, and Sweet32, a way to attack encrypted web connections by generating huge amounts of web traffic. Nation-state actors also have encryption in their crosshairs. Late last year, Juniper Networks uncovered spying code implanted in specific models of its firewall and Virtual Private Network appliances. Many experts believe the NSA was involved. Shortly after the cache of hacking tools allegedly belonging to the NSA made its way to underground markets this summer, Cisco discovered a vulnerability in its IOS, IOS XE, and IOS XR software that powers many of its networking devices.

The flaw, which could be used to extract sensitive information from device memory, was similar to the vulnerability exploited by the tools and was related to how the operating system processed the key exchange protocol for VPNs, Cisco said. Even Apple’s iMessage app, the poster child for how companies can bring end-to-end encryption to the masses, had its share of issues.

Cryptography professor Matthew Green and his team of students at Johns Hopkins University were able to develop a practical adaptive chosen ciphertext attack that could decrypt iMessage payloads and attachments under specific circumstances.

The team also found that iMessage lacked the forward secrecy mechanism, meaning attackers could decrypt previously encrypted messages, such as those stored in iCloud.

Forward secrecy works by generating a new key after a set period of time so that even if the attackers obtained the original key, the previously encrypted messages can’t be cracked. One thing remains clear despite all the bad news: Cryptography is not broken.

The mathematics behind cryptographic calculations remain strong, and encryption is still the best way to protect information. “The latest attacks have not been on the math, but on the implementation,” Waters says. In fact, encryption works so well that attackers rely on it, too.

Criminals are equally as capable of obtaining keys and certificates to hide their activities inside encrypted traffic.

The fact that this attack vector is fast becoming default behavior for cybercriminals “almost counteracts the whole purpose of adding more encryption,” Bocek says. Cybercriminals are using encryption to great effect in ransomware. Once the files are encrypted, victims have to either pay up to obtain a key or wipe their systems and start over. Just as attackers target flawed implementations, security researchers have successfully developed decryption tools for ransomware variants that contained mistakes in their encryption code. Government backs down on backdoors Technology firms have always had to balance security and privacy concerns with law enforcement requests for user information.

FBI Director James Comey had been pushing hard for backdoors in technology products using encryption, claiming that increased use of encryption was hindering criminal investigations. While companies frequently quietly cooperate with law enforcement and intelligence requests, the unprecedented public showdown between the FBI and Apple showed that in recent years, enterprises are beginning to push back. The FBI backed down in that fight, and a bipartisan Congressional working group—with members of both House Judiciary and Energy & Commerce Committees—was formed to study the encryption problem.

The House Judiciary Committee’s Encryption Working Group unequivocally rejected Comey's calls for backdoors and advised the United States to explore other solutions. “Any measure that weakens encryption works against the national interest,” the working group wrote in its report. “Congress cannot stop bad actors—at home or overseas—from adopting encryption.

Therefore, the Committees should explore other strategies to address the needs of the law enforcement community.” Weakening encryption so that police can break into encrypted devices would speed up criminal investigations, but it would be a short-term win "against the long-term impacts to the national interest," the working group warned.

Alternative strategies include giving law enforcement legal methods to compel suspects to unlock their devices and improving metadata collection and analysis. While the working group report indicates Congress will not pursue legal backdoors, other encryption-related battles are looming on the horizon.

The report seemed to support letting police use "legal hacking" to break into products using software vulnerabilities that only law enforcement and intelligence authorities know about, which poses its own security implications.

The technology industry has an interest in learning about vulnerabilities as soon as they are found, and not letting the government stockpile them with no oversight. As for Comey's "going dark" claim, the working group said “the challenge appears to be more akin to ‘going spotty.’” Adding to the enterprise tech stack Governments have been trotting out the terrorists “going dark” argument for years and will always play on those fears, says Mike Janke, co-founder and chairman of encrypted communications company Silent Circle. What's changing is that the enterprises are becoming more serious about securing their communications stack and are less willing to compromise on those features. Many organizations were shocked at the extent of government surveillance exposed by former NSA contractor Edward Snowden.

They reacted by integrating secure video and text messaging tools along with encrypted voice calls into the enterprise communications stack, Janke says.

Encryption is now a bigger part of the technology conversation, as enterprises ask about what features and capabilities are available.
IT no longer treats encryption as an added feature to pay extra for, but as a must-have for every product and platform they work with. Consumers were outraged by the surveillance programs, and anecdotal evidence indicates many have signed up for encrypted messaging apps such as WhatsApp and Signal.

But for the most part, they aren't paying for secure products or changing their behaviors to make privacy a bigger part of their daily lives. The change is coming from CSOs, vice presidents of engineering, and other technical enterprise leaders, because they're at the forefront of making security and privacy decisions for their products and services. With Tesla now digitally signing firmware for every single one of its internal components with a cryptographic key, it's easier to ask TV manufacturers or toymakers, "Why aren't you doing that?" says Janke. Consumers are the ones who will benefit from encryption built in by default as enterprises change their mindset about the importance of encryption.  Riding the innovation wave Cryptography tends to go in waves, with important innovations and research from 2005 to 2006 finally coming out as practical applications. Researchers are currently looking at improving the "precision of encrpytion," instead of the current model of all or nothing, where if something is exposed, everything gets leaked. "Encrpytion can be precise like a scalpel, giving fine-grained control over the information," Waters says. Google has looked at cryptography in its experiments with neural networks. Recently, its Google Brain team created two artificial intelligence systems that was able to create their own cryptographic algorithm in order to keep their messages a secret from a third AI instance that was trying to actively decrypt the algorithms. The dawn of quantum computing will also spur new avenues of research. “If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use,” wrote the National Institute of Standards and Technology in a public notice. Once such machines become widely available, “this would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere." To prepare for that eventuality, NIST is soliciting work on "new public-key cryptography standards," which will "specify one or more additional unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms that are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers.” The submission deadline is Nov. 30, 2017, but NIST acknowledges the work will take years to be tested and available, noting that "historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure." “Regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing,” NIST said. There have been a number of intriguing advances in cryptography, but it will likely be years before they become available to enterprise IT departments, and who knows what form they will take.

The future of cryptography promises even more security.

The good news is we are already experiencing some of the benefits now.

Security! experts! slam! Yahoo! management! for! using! old! crypto!

Suits should have done more to protect users, rather than user numbers ANALYSIS Fallen web giant Yahoo! has been branded negligent for failing to tackle the prodigious challenge of upgrading its MD5 password security before some one billion accounts were stolen. The security-battered organisation revealed today that attackers had stolen more than a billion accounts in August 2013 in history's biggest breach. Hackers stole names, addresses, phone numbers, and MD5 hashed passwords in a coup for social engineers who could use the information to compromise the very identity of users. That eye-watering news followed the company's September admission that 500 million accounts had been stolen in seperate attacks by alleged state-sponsored hackers in 2014, an incident that came two years after staff became first aware of the hack. Yahoo! has since replaced its MD5 hashing with the far superior bcrypt, moving from the world's worst password protection mechanism to the best. Yet it is little comfort for those who use legitimate personal details when signing up to Yahoo!'s service, including scores of American subscribers to major cable and DSL telcos including AT&T which use Yahoo! for its default email services, along with Kiwi carrier Spark which ditched the service in September. It is not known if the MD5 hashes were salted, since Yahoo! did not mention the critical additive in its statement.

Doing so would mitigate much risks from using MD5, says Jeffrey Goldberg, security guru at AgileBits, makers of the 1Password credential vault. "What is most important is whether the hashes, be they MD5, SHA1, or SHA256, are salted," Goldberg says. "There is absolutely no excuse to use unsalted hashes." But that the Purple Palace was even using the algorithm has drawn steep criticism from established security boffins. "The MD5 hashing algorithm has been considered not just insecure, but broken, for two decades," says Ty Miller, director of Sydney-based security firm Threat Intelligence, noting that MD5 collision vulnerabilities were found in 1996 with practical attacks developed in 2005. "I consider it negligent of an organisation such as Yahoo!, which has an obligation to protect the private data of over one billion users, to be using such an outdated and ineffective control to protect the passwords of its customers." The gossamer thin algorithm is a joke in security circles. Rainbow table databases serve as directories that transform hashes into cleartext passwords, and the internet is now littered with free and paid services that can reveal logins within seconds. Image: Kenneth White David Taylor, principal security consultant with Perth-based Asterisk Information Security, offered a similar opinion: "Yes, it would be pretty poor form on their part [to be] still using MD5 for hashing in 2013," he says. "There has been numerous issues reported for MD5 dating back to the mid 2000s." Board director with the lauded Open Web Application Security Project (OWASP) Andrew van der Stock, also chief technology officer at Threat Intelligence, is an advocate of baking security into the development process and sees shortcomings in Yahoo!'s security models. "This breach clearly shows that Yahoo!'s previous approach to security was less than ideal, and it's obvious that the Paranoids (Yahoo!'s security team) were unable to move the needle sufficiently with management to upgrade password hashing from an outdated and insecure algorithm to something more modern and acceptable," he says. "That it (MD5) is still commonly found in many of the worst breaches is an indication that the continued use of MD5 is correlated with other poor security practices." The breach comes at a notably poor time for Yahoo!: The company will soon be acquired by Verizon, possibly at a damaged-goods discount, and is conducting a security recruitment drive in Australia in a bid to attract local security talent, van der Stock says. "We all understand that without a complete revamp of senior management support for security and alignment with customer desires for privacy and security of their data, there is no point in taking on a position at Yahoo!," he says. Take this with a pinch of salt Administrators were salting password hashes in the 1980s, but many still fail to apply the complexity additive today.

The cryptography measure introduces random data into one-way functions preventing the use of rainbow tables by ensuring identical passwords have unique hashes. Goldberg points to the 2012 breach at LinkedIn to demonstrate the importance of salting, something the security boffin wrote about at the time. "LinkedIn had used SHA1, an improvement over MD5 in general, but it really didn’t matter that it was SHA1 instead of MD5," Goldberg tells The Register. "What mattered is that it was not salted.
I argued in 2012 that it was irresponsible for LinkedIn to have used unsalted hashes, and so that certainly applies to Yahoo! using unsalted hashes in 2013, if indeed, their hashes were unsalted." Put simply, a bland salt-free password earns the "contempt" of Goldberg and his kin, while the use of slow hashes like bcrypt, PBKDF2, or the upcoming Argon2 wins their praise. Attackers can guess salted passwords, whereas bcrypt and friends slow the rate at which those guesses can be made. "With a simple cryptographic hash function [like] SHA256, MD5, etcetera, an attacker might be able to make 10 million guesses per second on a single hash.

But with the 'slow hashing' functions, that might be reduced to a few tens of thousands of guesses per second," he says. The decreased rate gives users a window to change their passwords; yet even that may not have helped Yahoo! "But after four years, the details of the hashing scheme don’t really matter.

Any guessable password will have been guessed by now," he says. Not easy Yahoo!, like so many other companies offering free technology services, wants to attract the highest possible number of subscribers and has been criticised for perceived attempts to kneecap fleeing users. That mindset may have dissuaded the company from more efficiently jettisoning MD5 hashing for passwords prior to the 2013 pillaging. "The only practical way to speed up the conversion process (to bcrypt) is to force a password reset, maybe across the board, but more likely on a web property by web property basis," says noted cryptologist and director of the Open Crypto Audit Project's Kenneth White. "And therein lies the problem: there is often a very real tension between the business to be able to claim the highest user count, versus the reality that a years-old email reminds millions of people to log in to an account they had long ago forgotten." Using Yahoo! to find Yahoo! MD5 hashes, here revealing 'Password1'.
Image: Ty Miller. An email shipped to users asking them to log in so their passwords may be upgraded from MD5 hashing to bcrypt risks a "virtually overnight mass exodus of users" and a social media complaint storm that sends more rats from the burning Palace, he says. Bcrypt is the powerful hashing function designed to slow decryption attempts while minimising legitimate use performance overheads, and is favoured, along with PBKDF2 (Miller prefers the latter with hashes bearing 100,000 iterations), by each of the security boffins The Register has spoken to for this story, and many more in the broader security community including OWASP . Yet migrating to the top notch function is not as simple as just "switching to bcrypt", White says. A bootstrapping process can be followed, but it requires users to log in for bcrypt or PBKDF2 to be called and saved to a new column. Moreover, White says Yahoo! is a patchwork of web properties bearing decades-old Perl, PHP, and C code and so cannot be compared to the ease of upgrading a purpose-built modern web app. "Consider the legacy managed business mail systems," White says. "The myriad e-commerce shopping cart apps, ad accounts, to say nothing of Flickr, Yahoo! IM, and the hundreds of millions of webmail users who hadn't logged in for years, and you begin to see the scope of the engineering challenge." Van der Stock, acknowledging his outsider's position, reckons Yahoo! should immediately deploy two factor verification for all of its services, and again reset passwords, noting that the use of mere usernames and passwords puts users at "serious risk" and that leaving accounts exposed would be a "serious breach of trust". yahoo pic.twitter.com/LSxdm1wNdx December 15, 2016 Yahoo! could take a leaf from Microsoft's Xbox Live endeavours and deploy similar authentication smarts, if it has not already done so. "… I would strongly recommend some sort of real time authentication intelligence around compromised accounts, so that the authentication system itself assigns a risk score to logins to ensure that unusual patterns of abuse, such as brute force attacks, logging in from a distant country, or popping out of multiple IPs is blocked or alerted to the user for further action." Burning questions remain, not least how it took the technology giant three years to disclose that such a massive share of its accounts have been breached. "It's baffling why it's taken so long to fully scope and disclose the extent of their breach," White says. ® Sponsored: Want to know more about PAM? Visit The Register's hub

Moment of truth: Web browsers and the SHA-1 switch

The long-awaited SHA-1 deprecation deadline of Jan. 1, 2017, is almost here.

At that point, we’ll all be expected to use SHA-2 instead.
So the question is: What is your browser going to do when it encounters a SHA-1 signed digital certificate? We’ll delve into the answers in a minute.

But first, let’s review what the move from SHA-1 to SHA-2 is all about. Getting from SHA-1 to SHA-2 SHA-1 is a cryptographic hash officially recommended by NIST.
It’s used to verify digital content, as well as digital certificates and certificate revocation lists (CRLs). Whenever a PKI certification authority (CA) issues a certificate or CRL, it signs it with a hash to assist “consuming” applications and devices with trust verification.  In January 2011, SHA-2 became the new, recommended, stronger hashing standard.
SHA-2 is often called “the SHA-2 family of hashes” because it contains hashes of many different lengths, including 224-bit, 256-bit, 384-bit, and 512-bit digests.

The most popular one is 256 bits by a large margin. Who declared Jan. 1, 2017 the drop-dead date for SHA-1? Three of the top browser vendors and dozens of other software vendors.

They belong to a vendor consortium called the CA Browser Forum, which publishes requirements for public CAs in its frequently updated Baseline Requirements document. The CA Browser forum’s SHA-1 deprecation requirements apply to all but two types of certificates (covered below), although some browser vendors care only about web server certificates. Per the CA Browser forum, no public CA is allowed to issue SHA-1-signed certificates after Jan. 1, 2016, for certificates that expire after Dec. 31, 2016, although in some browsers, any SHA-1 certificate expiring after Dec. 31, 2017, is flagged, regardless of when it was issued. The CA Browser Forum specifically excludes root CA server certificates and cross CA certificates from the SHA-1 deprecation requirements.

This means you do not have to worry about your root CA’s certificate, although you probably need to worry about how it signs subordinate CA certificates and CRLs. Your browser’s reaction Some major browser vendors have been issuing warnings and error messages for two years.

Today, some browsers put an X through the HTTPS indicator (Google Chrome), don’t display the lock icon (Microsoft Edge and Internet Explorer), or simply remove the HTTPS portion of the URL (Apple Safari). Some browsers, such as Firefox, don’t show any indication when consuming an SHA-1 certificate; others may or may not depending on whether you're using a PC or mobile version of the browser.
In some cases, the protection given by the SHA-1 TLS certificate is still active even though the browser appears to indicate that it is not (for example, Chrome, Edge, or Internet Explorer). SHA-1 deprecation in the major browsers Certificate types and deprecation evaluation What certificate types will be evaluated for SHA-1 deprecation? It depends on the browser.  The CA Browser forum says all certificates will be evaluated except for root CA server and cross-CA certificates.

But I have seen browsers that popped up an error message on SHA-1 root CA certificates when they were acting as an “intermediate” root CA in a three- or four-tier PKI hierarchy and on cross-CA certificates. Microsoft will only evaluate certificates that originate from a PKI chain registered in the Microsoft Trusted Root program.

Certificates originating from a PKI chain registered in the Microsoft Trusted Root program will be evaluated only if they contain the Server Authentication OID.

This is an important point because some TLS certificates may contain the Client Authentication or Workstation Authentication OIDs only. (See Microsoft’s SHA-1 deprecation policy.) Other browser vendors say they will inspect “all” certificates for SHA-1 deprecation, but in practice this always excludes the root CA server certificates and may technically mean only web server or Server Authentication OID certificates.
I’ve had a hard time nailing down browser vendors on exactly which certificates they will include in deprecation-checking. Mozilla did confirm it also checks for the deprecated Netscape Step-Up OID. Mozilla Firefox, Google Chrome, and Opera browsers will check both public and private certificates by default, although you can manually register private PKI chains (sometimes called enterprise chains) to be excluded from SHA-1 deprecation checking. You can find Mozilla’s latest SHA-1 deprecation statement here; Google’s can be found here. As of Jan. 1, 2017, “full” SHA-1 deprecation enforcement is supposed to happen, although Microsoft will actually begin full enforcement on Feb. 14, 2017 (the second Patch Tuesday of the year). Mozilla says it will begin full enforcement in January 2017, with no specific date, whereas Google (and Opera) will begin full enforcement by the end of January 2017. All browsers will eventually evaluate all certificates, public or private, with no exceptions allowed, although this is will probably be many years out.

Expect any new improvement in SHA-1 cracking to speed up timelines and incur policy updates.

Microsoft plans St Valentine’s Day massacre for SHA‑1

End of the line for weak hash as web giants finally act The death knell for the SHA‑1 cryptographic hash function will be sounded, now that all of the main browser builders have decided to cut off support – only 12 years after its flaws were first discovered. On Friday, Mozilla and Microsoft both announced that support for SHA‑1 would be dropped – Moz with build 51 of Firefox in January and Microsoft on February 14 for its Edge and Internet Explorer 11 browsers.

Google has already said that Chrome will block SHA‑1 from build 56, due out by the end of January. "The SHA-1 hash algorithm is no longer secure. Weaknesses in SHA‑1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web," Redmond said. "Though we strongly discourage it, users will have the option to ignore the error and continue to the website." SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.

The delays have been driving some of the tech community up the wall, given that SHA‑1 was proven to be deeply flawed back in 2005 and has been getting progressively more insecure since then. The hash algorithm was published in 1993 as SHA‑0 by the US National Institute of Standards and Technology (NIST). Researchers at the National Security Agency did some tweaking to its compression function and turned out SHA‑1 two years later.
It was made mandatory for all US government crypto-code and became a default standard. It was a decade before researchers realized there were potential problems.
In 2005, Xiaoyun Wang and Hongbo Yu from Shandong University and Yiqun Lisa Yin from Princeton University published a paper showing it was possible to find collisions (two messages that hash to the same hash value) in 269 operations, and possibly as low as 233 – not the 280 operations first envisaged. This was worrying, but not necessarily fatal – it would still take an enormous amount of computing power to defeat, although nowhere near as much as first thought.

But as time went on, computing power increased and the advent of virtualization made more processing available to anyone with a credit card.
It became clear that decryption times would drop. The number of operations needed to cause a collision continued to decrease and remained largely theoretical. Nevertheless, NIST recommended that government users upgrade to SHA‑2 (the hash published ten years earlier) as early as 2012, but there were plenty of hold-outs, even in the US military. In 2015, a paper (dubbed The ShAppening) published by Marc Stevens of the Dutch research institute Centrum Wiskunde, with Pierre Karpman and Thomas Peyrin from Singapore's Nanyang Technological University, showed you could break SHA‑1 with just $75,000 of compute power. This finally got the industry to remove its collective digit and start setting some decent security standards.
It has taken them long enough, and now it's time to find the laggards and get them fixed. ® Sponsored: Customer Identity and Access Management

Don’t let banks fool you, the blockchain really does have other...

Gov.UK missing out on the real value? We're shocked, we tell you...
Shocked! Analysis It is a truth universally acknowledged that executives in the financial sector are capable of making the most exciting innovations boring, and in this respect their approach to the blockchain has been exemplary. During 2008's financial crash, a nine-page paper titled Bitcoin: A Peer-to-Peer Electronic Cash System [PDF] was published to the cryptography and policy mailing list at metzdowd. The paper, attributed to Satoshi Nakamoto, offered cypherpunks and anarcho-capitalists a chance to realise their fantasy of a decentralised digital money; in practice, fiat currency backed not by government but by cryptography and collective consent. You know this story: it was going to change the world, and then it wasn't, and around the time bankers realised it wasn't going to change anything they struck upon the notion of getting it to work for them - though with very little idea how. According to Gartner's hype-cycle, this sets blockchain technology near the peak of inflated expectations at the moment, ahead of 4D printing (What? - Ed) but behind virtual reality. Speaking to The Register, fintech consulant Diana Biggs said it seemed "pretty evident that blockchain is very hyped at the moment" and noted a "marked change" from even two years ago, "when no financial institution or professional services firm would speak about it openly." A lot of the discussion (or hype) in the space is also quite surface level, outside of specialist circles, which I would attribute to a number of factors, including the early stage of the technology, the complexity and a lack of understanding [about the technology itself.] Late last week, almost eight years after the Bitcoin paper's publication, Rupert Scofield admitted to The Register over a breakfast briefing in Soho that he really didn't understand what the blockchain was, nor its relationship to Bitcoin, but he believed it was important for fintech companies to look into it. Scofield, the president of Finca International — a microfinance business which seeks to make small loans to businesses in the developing world — is not the first person to be as bewildered at what the business case for the blockchain is as he was excited one could be found. Blockbuster cool Earlier this year, even Blighty's Chief Scientist could be caught advocating that a GDS-built blockchain in the UK could help Her Majesty's Government “collect taxes, deliver benefits, issue passports, record land registries, assure the supply chain of goods and generally ensure the integrity of government records and services.” Sir Mark Walport's 88-page report made little mention of how this would actually be of greater business value for the cited use-cases than a simple transactional database.

Even Scofield's notion of using the blockchain for Finca's “back room” would be obviously better handled by MySQL – something the CEO acknowledged. Yet the hype regarding the blockchain remains. Earlier this year, London-based fintech company GovCoin Systems partnered with Barclays, RWE npower and University College London to trial blockchain tech for the Department for Work and Pensions (DWP).

This trial was subsequently slammed by the Open Data Institute, although it did so on privacy grounds. Painfully slow and expensive? We must have it A more pointed criticism, however, may be the unsuitability of the blockchain to store or process payments at all, because it is very slow and very expensive.
In recording every Bitcoin transaction that has ever occurred, forever, it is meeting the business necessity of establishing trust and user belief in that digital currency. The blockchain prevents double-spending in digital currencies by ensuring that everyone knows where every Bitcoin is all of the time.

Transactions of Bitcoin take place by updating the blockchain so everyone knows that the Bitcoin in question is located somewhere new, with cryptographic hash values computed to validate its location. While this novel method of preventing double-spending has been applauded, the protocol regarding the distribution of information along the blockchain also limits transactions to seven per second.

Compared with the thousands of transactions per second conducted by the payments company VISA, this is crippling quality for. Suggestions for increasing the speed of Bitcoin transactions are regular subjects of debate in the Bitcoin community, but there may always be a critical limit to the speed of transactions as a product of the blockchain's trust requirements. As there is no need to require so much trust from the DWP or any other government department, these transaction limits may be improved — but when trust isn't an issue, the business value of a distributed ledger also seems to evaporate. A statement emailed to The Register after Friday's breakfast briefing with Finca, and attributed to Scofield, accepted that “the financial sector has not properly come to terms with the opportunities that blockchain might present to businesses, and financial institutions need to put a lot more energy into bringing in experts who can make sense of the business case in a rational and sensible way.” A blockchain advisor at Secure Trading, Mustafa Al-Bassam, who is also a doctoral researcher at UCL, told The Register that “sometimes industry receives investment because investors are excited by the buzzwords, despite the fact that blockchain might be incompatible with what they want". Al-Bassam added, “There is large amount of interesting innovation happening in Industry with blockchain and smart contract technology. “For instance, some companies have been looking at smart contracts for financial instruments such as loans, or using a blockchain for inter-bank settlement.

These use cases could be more economically efficient than traditional approaches by removing administration costs or middlemen that take a fee. “Apart from financial use cases of this technology, there are also use cases for internet security,” he said. “For example, the transparency property of distributed ledgers make it quite useful for certificate transparency to make rogue certificates easily detectable.” Not that this has stopped the big corporations from having a go, with Microsoft offering a blockchain-as-a-service product on Azure, and IBM open-sourcing its own blockchain code earlier this year too. Earlier this year, Gartner fellow Ray Valdes told The Register that 2016 was “the year of pointless blockchain projects.” He added that IBM and Microsoft's blockchain-as-a-service efforts were confusing and missed the business-case yet again.

Centralised blockchain hubs defeated the trust problem that the blockchain was invented to solve. Valdes said it was futile trying to pick winners in today's saturated blockchain hypezone because the zone was at a stage similar to that of the web in 1995, back when the first wave of innovators started to build services and win millions of customers. Potential use-cases exist, as Al-Bassam noted, but they don't seem to be on the market yet. Biggs told The Register that her personal opinion was that "there is exciting potential for this technology, but perhaps not in the ways most people think.

And ultimately, new or old technology, it will all come down to business processes, policy and regulation to define what changes and benefits we will get out of this." She added: "In terms of a new underlying protocol, that will also depend on consensus and adoption, and to a much greater extent than in the early days of the internet as we are today more cognisant of the enormity of the potential impact of such technologies and thus more committed to trying to get it right." ®

As we speak, teen social site is leaking millions of plaintext...

reader comments 32 Share this story A social hangout website for teenage girls has sprung a leak that's exposing plaintext passwords protecting as many as 5.5 million user accounts. As this post went live, all attempts to get the leak plugged had failed.Operators of i-Dressup didn't respond to messages sent by Ars informing them that a hacker has already downloaded more than 2.2 million of the improperly stored account credentials. The hacker said it took him about three weeks to obtain the cache and that there's nothing stopping him or others from downloading the entire database of slightly more than 5.5 million entries. The hacker said he acquired the e-mail addresses and passwords by using a SQL injection attack that exploited vulnerabilities in the i-Dressup website. The hacker provided the 2.2 million account credentials both to Ars and breach notification service Have I Been Pwned?. By plugging randomly selected e-mail addresses into the forgotten password section of i-Dressup, both Ars and Have I Been Pwned? principal Troy Hunt found that they all were used to register accounts on the site. Ars then used the contact us page on i-Dressup to privately notify operators of the vulnerability, but more than five days later, no one has responded and the bug remains unfixed. It's only the latest mass leak to expose plaintext passwords in recent days. As Ars reported two weeks ago, plaintext passwords, usernames, e-mail addresses, and a wealth of other personal information were recently published for more than 2.2 million people who created accounts with online survey website ClixSense. The hackers who dumped the collection claimed to have data for a total of 6.6 million accounts and were offering to sell the unpublished 4.4 million entries. I-Dressup bills itself as a secure site that goes out of its way to protect the privacy of its users, particularly those who are under the age of 13 years old. But those assurances don't hold up to even casual scrutiny. It's bad enough that a SQL-injection vulnerability that dumps passwords remained unfixed even after it was privately reported. It's even worse that the database contained plaintext passwords. Industry standards dictate that passwords be converted into a cryptographic hash that requires an attacker to spend time and computing resources to restore to a human-readable form. Anyone who had an account on i-Dressup should strongly consider closing it. Users should also be on the alert for scam e-mails that make us of the data. Users should change passwords on any other websites that used the same or similar credentials.