Another Hashing Exploit

By on June 14, 2005

Trust no one:

Cryptographers have found a way to snip a digital signature from one document and attach it to a fraudulent document without invalidating the signature and giving the fraud away.

The development means that attackers could potentially forge legal documents, load certified software with bogus code, or turn a digitally-signed letter of recommendation into one that authorises access to private information.

“It’s not the end of the world yet, but we need to stop using MD-5 and SHA-1 before it is,” notes Dan Kaminsky, an independent security consultant based in Seattle, Washington, US.

Via New Scientist.

Gadgetopia