Java Reference
In-Depth Information
8.2.2.7 SHA
he secure hash algorithm (SHA) is the set of hash functions designed by the NSA. here are
three SHA algorithms known as
SHA-0
,
SHA-1
, and
SHA-2
, respectively. SHA-1 is the most
popular hash function among the SHA algorithms and is the most widely adopted in commercial
products. here have been some weaknesses discovered in SHA-1, which prompted the creation
of a much stronger SHA-2, and a SHA-3 is also under development and will be chosen based on
a competition somewhere between 2008 and 2012.
he SHA-0 was published as a speciication by NIST in the year 1993. his was superseded
in 1995, by SHA-1, which corrected some of the laws of SHA-0. SHA-1 and SHA-0 generated a
160-bit hash value (message digest) from a variable-length message or ile.
SHA-2 was created to overcome of the weaknesses of SHA-1. his consists of the SHA-224,
SHA-256, SHA-384, and SHA-512 algorithms, where the lengths of the message digests are
expressed in the numbers succeeding the word
SHA
. he NSA has recommended that the use of
SHA-1 be discontinued because of a known law in the algorithm. he NSA has mandated a move
to SHA-2 for all government information by the year 2010.
8.2.3 Implementation Implications of Encryption in Web Applications
In the current world of Web application development, there are several implementations of cryp-
tography that are in existence. Organizations and developers have taken note of the fact the cryp-
tography is one of the most efective means of protection of data and have implemented certain
measures for achieving the same. However, there have been several problems in the implementa-
tion of cryptography in Web applications, mostly caused by lack of awareness and, in some cases,
negligence and a lack of a strong culture of security in the organization developing the Web
application. We shall delve into some examples of the inappropriate implementations of cryptog-
raphy in Web applications and highlight the reasons for their failure and the remedies for these
implementations. hey are as follows:
◾
Homegrown crypto
◾
Weak ciphers
◾
Insecure implementation—strong ciphers
◾
Weak or nonexistent transport layer security
8.2.3.1 Homegrown Crypto
his is one of the main reasons for insecure cryptographic implementation of cryptography in
Web applications. Several Web application developers believe that they are able to develop “algo-
rithms” that are capable of protecting sensitive information, with the least amount of performance
overhead—for instance, using a scheme of subtraction and multiplication of each digit of a credit
card number to provide the ciphertext and performing the same basic arithmetic operations in
reverse. While such attempts are not only laughable because of their sheer simplicity, they also
lull an organization into a false sense of security as they perceive their sensitive information to be
safely unreadable, while it is mostly the contrary that is the case. Industry-standard encryption
algorithms like AES and Triple DES are industry standard for a reason. hey have been tested
extensively by some of the most advanced cryptanalysts and knowledgeable members of the indus-
Search WWH ::
Custom Search