MySQL Forums
Forum List  »  Security

Re: SHA1 broken
Posted by: Arjen Lentz
Date: February 22, 2005 12:13AM

Giuseppe Maxia wrote:
> SHA1 has been broken.
>
> http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
>
> Since MySQL passwords (4.1 and up) seem to be based on it, is there anything we should be
> concerned about?

No proof has been provided for those claims yet, nor is the scale of the alleged problem clear.
With scale I mean, if previous it would take millions of years to crack it, how much time would it take now?

The alleged problem is about finding duplicates, i.e. a different string that would produce the same SHA1 output. If the process by which this "attack" can be done is sufficiently fast, then this could indeed be relevant for the authentication protocol in MySQL 4.1.
However, there are other aspects in the protocol design that would still make it quite difficult to actually exploit. Basically, a potential attacker would only gain an advantage from this if they were able to steal the mysql.user table. Then they could use the attack to calculate possible passwords. Network sniffing or protocol intercepting wouldn't help them in any way.
Do note though that in MySQL 4.1, the user name is part of the password hash, so two users with the same password still have different SHA1 strings stored. This same feature also slows down dictionary attacks, and also attacks of the type described above.

Regards, Arjen.
--
Arjen Lentz, Exec.Director @ Open Query (http://openquery.com)
Remote expertise & maintenance for MySQL/MariaDB server environments.

Follow us at http://openquery.com/blog/ & http://twitter.com/openquery

Options: ReplyQuote


Subject
Views
Written By
Posted
4519
February 16, 2005 05:42AM
Re: SHA1 broken
3486
February 22, 2005 12:13AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.