The vulnerability in the SHA-1 one-way hash function, which recently rocked the cryptographic world, is not seen as a threat to a new generation of one-time password products based on the encryption standard.
The Initiative for Open Authentication"s (Oath) Hashed Message Authentication Code (HMAC), a one-time password (OTP) proposal based on SHA-1, is being promoted as a key technology for broadening the authentication marketplace. Analysts at The Yankee Group in Boston predict that the authentication market will grow at a 12 percent annual rate, almost doubling from US$1.4 billion in 2004 to $2.4 billion in 2008.
A flaw in Oath"s proposed OTP standard could dent that growth, but that isn"t likely, said Phillip Hallam-Baker, a chief scientist at Oath sponsor VeriSign Inc. in Mountain View, Calif., and other cryptographers.
The vulnerability isn"t a threat because less is better when it comes to preventing the reproduction of a hash value, Hallam-Baker said. Oath"s algorithm for the one-time password truncates, or discards, bits from the 160-bit hash value produced by SHA-1, he said. Oath"s OTP uses only enough bits to produce a six-digit sequential password, deleting the rest.
"To break the Oath password, you"d have to know exactly the hash bits left after truncation. Truncation greatly increases the difficulty of breaking the hash. Since we"re not using all the hashed information, a hacker actually has less information available to (him)," which significantly increases the difficulty of breaking the Oath OTP, he said.
SHA-1 is an encryption algorithm developed by the U.S. National Security Agency in 1995 after a weakness was discovered in a predecessor, the Secure Hash Algorithm, or SHA.
Three Chinese cryptographers at Shandong University in February discovered the flaw when they created two different files that produced the same hash value (see story). Cryptographers refer to this type of attack on a hash as a "birthday attack" because the algorithms are frequently described by using the analogy of finding two people with the same birthday in a large crowd.
Any two people randomly selected from a crowd should have unique birthdays, just as cryptographic hashing functions should produce a unique value for every input of clear text. Further, no collisions, or identical hash values, should result from countless inputs of the same text.
The SHA-1 vulnerability demonstrated that an identical hash value could be computed about 2,000 times faster than a so-called brute-force attack, where a hacker tries every possible means, such as guessing passwords and trying various code combinations, to gain entry into a system. In cryptographic terms, finding a method that breaks a cipher faster than a brute-force attack means the encryption algorithm is broken. In the case of SHA-1 however, the practical impact of the breakthrough is insignificant until further cryptographic research reveals more vulnerabilities in the SHA-1 algorithms.
Bruce Schneier, cryptographic researcher, author and founder of Counterpane Internet Security Inc. in Mountain View, agreed with Hallam-Baker"s explanation. Schneier said the Oath OTP was one of many hash-function applications that aren"t vulnerable to birthday attacks.
"Presumably Oath will migrate to a new hash standard when one is settled upon, simply to be safe, but there"s no cause for concern," Schneier said.
Oath"s members, which number about 40, are expected to approve a statement on the impact of the SHA-1 collision vulnerability later this month. Meanwhile, their HMAC OTP algorithm proposal continues to churn through the standards process and is expected to become an Internet Engineering Task Force (IETF) request for comment (RFC) soon, said Stu Vaeth, a member of Oath"s technical and management committees and chief security officer at Diversinet Corp. in Boston.
"The IETF knew of the SHA-1 collision vulnerability and that it was not something they needed to consider," Vaeth said, when the standards body approved Oath"s HMAC OTP algorithm proposal for peer review as an RFC in a March 7 meeting in Minneapolis. The standardization process could be completed in as little as four to six weeks, Vaeth said, because "algorithms typically go through a shorter review cycle than a protocol."
Cryptographic pioneer RSA Security Inc. in Bedford, Mass., also downplayed the importance of the SHA-1 flaw in a note on the Web site of RSA Laboratories that said, "Most SHA-1-based applications in the industry as a whole are not affected by the research results, which only affect one particular property of SHA-1 -- collision-resistance -- and which can only be exploited practically under special circumstances."
RSA and its SecureID one-time password products are in the cross hairs of the proposed Oath HMAC OTP industry standard as it seeks to grow the marketplace for one-time passwords. The company"s SecureID products made $192.8 million in sales of "authenticator product types" and comprised 74 percent of RSA"s $260 million of revenue in fiscal 2003.