UCL News


Hash function broken

17 May 2005

An IT seminar at UCL has introduced new concerns about online security.

Professor Wang Xiaoyun   Professor Wang Xiaoyun of Tsinghua and Shandong Universities in China spoke to UCL staff and students about her research into the 'hash' function, an encryption device that has been used to safeguard information exchange on the internet for many years.

Hash functions are routinely used to scramble information for online transmissions containing credit card information and other sensitive data. Until now, experts have regarded them as unbreakable. But Professor Xiaoyun's team has found a flaw in a state-of-the-art hash function that shows that the device is potentially vulnerable to hackers.

Hash functions work as a sort of digital fingerprint, creating a unique symbol that serves to verify the authenticity of a particular document. However, researchers found that a particular hash algorithm called SHA-1 could generate an identical 'fingerprint' far more easily that had previously been believed possible.

Although the technique used by the researchers is unlikely to be used to hack into particular computers, it could theoretically be employed by hackers to create fake websites with the security credentials of a trusted site in order to obtain credit card details and other sensitive data. 

Professor Xiaoyun's discovery has already raised a red flag among government agencies and computer-code experts, and many major security agencies are now not using the SHA-1 hash function in new applications, and phasing it out of other functions.

Professor Xiaoyun's seminar forms part of a series established by UCL to complement its newly established MSc in Information Security - an advanced programme for computer science and engineering graduates who wish to work in the field.

To find out more about the MSc use the link below.

MSc in Information Security