Back to Top

Saturday, June 07, 2008

Why security is in such a sad state?

Disclaimer: as always, unless expressly stated, the views expressed here are my own and do not necessarrily reflect those of my current or former employers.

Because people hide behind titles!

Some examples:

Gary Warner Director of Research in Computer Forensics lists on his blog IP addresses associated with the latest run of Storm. I thought that everybody got the memo, but seemingly some didn't: Storm is hosted on a fast flux network, using compromised home computers! Enumerating those IP's has the same value as saying fraud is happening on the Internet!

From the ThreatExpert blog: new Rustock, blah, blah, All communication with the server is encrypted with SHA1. I kid you not. There are still some people out there who don't know the difference between encryption and hashing.

Final example: as part of my studies I was participating at a presentation held by a telecom equipment manufacturer, who was explaining some communication protocol and said the passwords are encrypted with MD5. I didn't want embarrass the guy, but I really felt a strong urge to throw a thick security book at him. And these are people responsible for the security of our communication infrastructure!

So remember, the next time you say encrypted with MD5/SHA1 I might be in the audience and you might get hit by a book!

To end on a optimistic note, here is an article from which emphasizes the need to study and learn continuously.


  1. crypto-trivia: it is possible to encrypt with hash functions... see karn, luby-rackoff, or message digest cipher...

    such constructions were probably not what those people had in mind, however...

  2. thank for the interesting comments (as always). however I couldn't find really much info about the algorithms / methods you are referencing.

    For luby-rackoff I found a wikipedia entry (, however it directly references cyphers, not hashes.

    Also, cryptographic hashes (should) have the property of "given h it should be hard to find any m such that h = hash(m)", which pretty much rules them out as an encryption algorithm... (since you can't go the other way around). Also, because they are fixed length, they act as an information reducer (or "lossy compressor").

    Finally I found a text regarding MDC (, however there hash functions are used to generate the key, not really to encrypt anything.

  3. hmmm... i didn't try googling them to see how easy it would be to find them... ok then, i might as well tell my source... applied cryptography, chapter 14 ("Still Other Block Ciphers"), section 11 ("Using One-Way Hash Functions")... i read it (well, most of it, though my attention began to wane near the end) back when i was in my 3rd year at university...

    you're right, of course, that hash functions can't be used as encryption algorithms, but that doesn't mean they can't be used to encrypt... one simply has to come up with a construction where their one-way-ness isn't a problem (such as in a CFB or OFB cipher)...