Steve Lamb's Blog

Security Matters

Blogs

For those who haven't heard yet there's a way to compute SHA-1 hashes faster than brute force

  • Comments 2
  • Likes

Bruce's recent article has started a great deal of debate. Clearly the implications for the way cryptographic signatures are relied upon more and more come into question. IMHO the sky's not about to fall down but certainly it's sensible for all software authors(Microsoft included) to think how their software could be impacted.

It's only a matter of time before a new branch of mathematics is found which makes it possible to rapidly factor huge prime numbers - negating asymmetric key crptography - this will have a profound effect. Of course it could take years and years before such a branch of mathematical theory is found. IMHO this will happen one day - if may already have happened outside the public arena but therin lies yet another conspiracy theory!

The one thing you can be sure of in IT Security is that no technical measure works indefinately. Remember when common thinking was that a Firewall would protect you from all evil...... Simply relying on a single technology (such as cryptography) is a folly. Well thought out complementary measures are the only way - each assuming that the others have failed - otherwise known as "defence in depth". It's not rocket science and yet many people fail to assess their risk from a business perspective and apply multiple complementary mitigation steps. IMHO stealing data is easy, the catch is how much effort you're prepared to put in to achieve your goal.

Comments
  • new learner i just loaded my new server copy

  • Agreed. Defense in Depth is the key paradigm. All organisations should have a well defined and maintained Security Policy which covers both Technical and Non-Technical aspects including procedures such as &quot;Clear desk&quot;, password policy, DR etc etc. <br> <br>Some one person or group of people should be responsible for ensuring the policy is maintained and adhered to. One cannot rely solely on a firewall. <br> <br>Speaking of which, the WS-S spec worries me slightly as it suggests itself as an end-to-end solution for Web Services Security - that's got to be dangerous...Thoughts?