A few days ago at EuroCrypt 2009, security researchers announced an attack on the SHA-1 hashing algorithm. The attack is a fairly serious one and it is a strong signal for software vendors to move away from SHA-1.

For almost all cryptographic algorithms, if the digest length is n, it means that there are 2ⁿ different possible values for the message digest (cipher text in the case of an encryption algorithm). Taking the possibility of birthday attacks into account, we can safely assume that breaking these digests will take at least 2^n/2 operations.

If n = 160 (as in the case of SHA-1), it will take 2⁸⁰ calculations to break the code. Even if we assume that a computer can do 2²⁰ operations per second, it will take a whopping 36 billion years to crack the code. Our secrets and systems are kept secure by these algorithms which are supposed to resist the best computers for 36 billion years from cracking code.

Then someone very smart comes along, finds a weakness in the algorithm itself rather than trying to do brute force attack, and the security of our documents, signatures and protocols are jeopardized. We are forced to find better alternatives and design better algorithms.

In the real world, cryptographic algorithms become obsolete or broken in 10-25 years rather than the theoretical time frame of 36 billion years.

As a precautionary step you may want to make the algorithms/protocols used in your application easily replaceable. This will make your life easier when the algorithm is broken and you want to replace it. Also, as a programmer you should understand that even if the algorithm is not yet broken, your implementation may be flawed. Most of the security vulnerabilities are caused by crappy implementations of secure algorithms/protocols.

And did I mention that you should not write your own encryption algorithm?

Of course in the real world things are entirely different:

As you probably know, none of the algorithms in the world will help you if I know your mother’s maiden name.