Advisories - Response to New Cryptanalytic Results on Hash Functions from VeriSign, Inc.
VeriSign, Inc.® US Home | Worldwide Sites | Site Map
Products & Services Solutions Support About VeriSign Login for existing VeriSign customers
You Are Here: US Home > Support > Advisories > Response to New Cryptanalytic Results on Hash Functions

Advisories

Response to New Cryptanalytic Results on Hash Functions

Three papers published at the Crypto 2004 conference at in Santa Barbara, California announced new attacks against cryptographic hash functions, which are typically used in creating electronic signatures and in operating systems to store passwords. The discussed algorithms include MD4, MD5, RIPEMD, HAVAL-128 and SHA-0. While the results detailed in the reports could provide ammunition for hackers in their attempts to compromise these algorithms, they fall short of providing an attacker with the means to forge a digital signature or digital certificate, or to compromise the confidentiality and integrity of messages sent in conjunction with SSL (for e-commerce or browser to server communications), S/MIME (secure e-mail), or IPSEC (secure VPNs).  
 
As with any security mechanism, inevitable advances in cryptology are expected. VeriSign routinely plans for the retirement of cryptographic algorithms nearing the end of their working life and also has in place contingency plans for the accelerated retirement of algorithms, should they become compromised. The results published at Crypto 2004 do not require VeriSign to take the step of accelerated retirement.  
 
Although the results published at the Crypto 2004 fall well short of breaking SHA-1, VeriSign is studying these results closely to determine whether existing plans for an orderly transition to new algorithms, as recommended by NIST in August 2002, should be expedited.  
 
VeriSign will continue to monitor the situation, providing updates as warranted. 
 
At this time, however, VeriSign feels there is no need for immediate action needed on the part of end users of VeriSign Digital Certificates or VeriSign Digital Certificate customers. The algorithms discussed are so-called hashing functions. While the purported weaknesses in the algorithms are still largely theoretical, even if these algorithms were compromised, it would have little practical effect on the confidentiality and integrity of your PKI based systems or the information protected by those systems. In all significant cases, the hashing functions are either used to condense non-sensitive information (e.g. the already public information in a certificate) or, when used in conjunction with sensitive information, are further enhanced through the use of additional encrypting and signing algorithms (e.g. RSA, 3 DES) whose strength is not currently in question.
Contact Us
Contact Support >>
Contact Us Legal Notices Privacy Repository ©1995-2006 VeriSign, Inc. All rights reserved.