Don't miss our upcoming Network Computing virtual event on Connectivity Solutions - Secure Your Complementary Seat Now!
The recent release of a paper detailing the way that a Shandong University team found a significant flaw in the SHA-1 encryption algorithm has caused major ripples in the cryptoanalysis world, and it's time to ask whether the ripples will turn into major waves for folks implementing computer and network security. The answer depends on a couple of major factors--how far into the future you look when making implementation decisions, and how much security is enough for you and your situation.
First, understand what the paper said. One of the ways in which encryption schemes are evaluated is the frequency with which two different strings of text would encrypt (or hash) to the same result. SHA-1 was designed, and had been assumed, to have a collision in 280 operations. The team at Shandong University found a method by which they could reach a collision in only 269 hash operations.
Now, in realistic terms, that still a lot of operations, and it's more than the average hacker is going to be willing to brute force their way through in order to compromise a piece of communication. For the short term, then, there's no need to panic. Over the longer term, though, there is more room for concern.
The real problem is that the Shandong team's results show that there is a problem with SHA-1, and now the likelihood grows that more issues can be found. Since more people are likely to be looking for problems that could very well exist, the result is a lack of confidence in SHA-1. It's time to start looking for a replacement.
With the move to the cloud, CISOs must shift priorities from operating security programs to overseeing (monitoring and auditing) outsourced cybersecurity programs.
2022 was a boon year for IT salaries. 2023 came in like a beast with layoffs, raise freezes, and ChatGPT, but that beast has few teeth.
Age is only a number. Don't let a high number cancel your career.
