 |
|
Advisories
|
VeriSign Response to New Cryptanalytic Results on SHA-1
In a yet to be released paper , researchers
Xiaoyun Wang, Yiqun Lisa Yin and Hongbo Yu, are expected to detail an
attack on SHA-1 in which a collision can be found with complexity less
than a brute force attack. The work, summarized by the researchers
in their
research note, is the logical next step of the hash function
research discussed in a previous VeriSign
Advisory.
VeriSign is monitoring this situation actively
and will provide updates when the full text of the research is made
known. However, based on the currently available details,
VeriSign feels there is no need for immediate action on its part or
the part of end users of VeriSign Digital Certificates, VeriSign Digital
Certificate customers and VeriSign Unified Authentication Services.
In particular -
- Although analysis
shows that a collision can be found in 269 computations,
which is less than the computations needed for a brute force attack
of 280, the time, memory and computational resources needed
to mount this attack are prohibitive to be of immediate concern.
- There is no impact
on the security of HMAC-SHA-1 and thus no impact on the HMAC
OTP algorithm.
For additional details, see the following document: Attacks
on SHA-1
VeriSign continues to study these results closely
and is working with industry leaders to determine whether existing plans
for an orderly transition to new algorithms, as recommended by NIST
in August 2002, should be expedited.
|
|
