Well-designed systems don’t store passwords; rather, they take the password you supply and run it through a cryptographic hashing algorithm that turns it into another string (in theory, this string can’t be turned back into the password). When you re-visit the website and supply your password, it is run through the algorithm again, and then the result is compared to the stored version. That way, no one — not even the provider — knows your password (except you). Again, that which isn’t stored can’t be leaked. Requiring French online services to keep a record of unhashed passwords is a reversal of decades of best practices in security.

The credibility of photographic evidence becomes vital in numerous situations for insurance companies and courts, as they may accept digital image as indisputable evidence if it can be proven genuine. However, the discovered vulnerability in Canon Original Data Security system proves that verification data can be forged and, thus, the whole verification system cannot be relied upon.

In brief, modern DSLR (Digital Single-Lens Reflex) cameras produced by Canon feature Original Data Security system which is meant to securely validate the authenticity of image data and prove image genuineness. Accordingly, one can use OSK-E3 (Canon Original Data Security Kit) which comprises smart card and special software to verify a digitally signed image.

ElcomSoft discovered the vulnerability which allows producing images that will be positively validated by Canon’s own Original Data Security Kit (OSK-E3) regardless of whether or not the images are, in fact, genuine.

Cory Doctorow at 8:18 AM Tuesday, Nov 30, 2010

Dmitry Sklyarov and his colleagues at Elcomsoft have cracked the “image verification” system in high-end Canon cameras; this system digitally signs the photos you take so any alternations, “touch ups” or other modifications can be detected. Sklyarov (who became a cause celebre when he broke the DRM on Adobe’s ebooks and was thrown in jail by the FBI at Adobe’s behest) and his team have a sense of humor — they’ve produced correctly signed images of astronauts planting the Soviet flag on the moon and the Statue of Liberty holding a sickle, among others.

“Yesterday at Black Hat USA 2009, a talk entitled MD5 Chosen-Prefix Collisions on GPUs (whitepaper) (Both PDFs) presented an implementation written in assembly language for ATI video cards that achieves 1.6 billion MD5 hash/sec, or 2.2 billion MD5 hash/sec with reversing, on an ATI Radeon HD 4850 X2. This is faster than the much-publicized 1.4-1.9 billion hash/sec figure that was supposedly reached on a PlayStation 3 by Nick Breese at Black Hat Europe 2008 (he later noticed an error in his benchmarking tool). Compared to the cluster of 215 PlayStation 3s that was used to create a rogue CA in December 2008, Marc Bevand claimed a cluster of 12 machines with 24 video cards would be a bit faster, consume 5 times less power, and be 10 times cheaper.”

By Bruce Schneier

In other SHA-3 news, Ron Rivest seems to have withdrawn MD6 from the SHA-3 competition. From an e-mail to a NIST mailing list:

We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward.

Basically, the issue is that in order for MD6 to be fast enough to be competitive, the designers have to reduce the number of rounds down to 30-40, and at those rounds, the algorithm loses its proofs of resistance to differential attacks.

By Bruce Schneier

The SHA family (which, I suppose, should really be called the MD4 family) of cryptographic hash functions has been under attack for a long time. In 2005, we saw the first cryptanalysis of SHA-1 that was faster than brute force: collisions in 2^69 hash operations, later improved to 2^63 operations. A great result, but not devastating. But remember the great truism of cryptanalysis: attacks always get better, they never get worse. Last week, devastating got a whole lot closer. A new attack can, at least in theory, find collisions in 2^52 hash operations — well within the realm of computational possibility. Assuming the cryptanalysis is correct, we should expect to see an actual SHA-1 collision within the year.

Dec 11th 2007
From Economist.com
A cast-iron way of identifying documents is looking a little rusty

“Of course, it is all an illusion. He would certainly not have time, once the result is known, to construct a document containing the name of the winner in such a way that its hash would come out just right. That would be what cryptographers call a “pre-image attack”, and no way of mounting such an attack is known. Instead, Dr de Weger’s group has concentrated its efforts on the other property of hashes: that it is hard to find two documents that have the same hash. Hard, but as it turns out, not impossible. Constructing two such co-incidental documents is known as a “collision attack”. And it is this trick that the researchers have pulled off. Indeed, they have created not merely two, but 12 documents that have the same hash. Each of these documents contains the name of one of the 12 leading presidential candidates, so it is just a question of posting the right one once the result of the election is known.”