Http://www.cfca.com.cn/news/040915-1.htm About MD5 defects and CFCA provide security certification Not exposed to this defect impact CFCA
A few days ago, Professor Wang Xiaoyun from Shandong University reads Wang Xiaoyun, Feng Deguo, and learned Jia, in the Crypto 2004 meeting, in the research results of the MD5 algorithm collision in the Red wave. Some news said: "This means that after you use an electronic signature to sign a contract on the Internet, it is possible to find another contract with the same signature but content, so that the truse of the two contracts is not distinguished. Professor Wang Xiaoyun confirmed the use of MD5 algorithms to seriously threaten information system security, this discovery enables the current electronic signature legal effect and technical system challenged ", causing some users of CFCA to pay attention to this issue. The CFCA special as described below:
The MD5 algorithm published in 1991 is a product that overcomes the security defects of the MD4 algorithm; however, in 1994, there was a research report earlier that you can search for two different reports for MD5 by manufacturing a special machine. The text has the same summary, "the" collision "phenomenon, and a collision is found in 24 days. The collision problem of MD5 is actually exposed, and Professor Wang Xiaoyun has the excellent job of: In a shorter time, the MD5 collision is achieved. In addition, since the MD5 algorithm is not the only choice for the hash algorithm, this shortcoming of the MD5 algorithm does not affect the legal effect of electronic signatures for electronic signatures generated by other security hash algorithms. At the beginning of the establishment, CFCA has been safely assessing the MD5 and other algorithms. Therefore, in the application product and service provided by the CFCA, there is no unsafe algorithm such as MD5, but a secure SHA-1 algorithm, the user can use it; the security application tool package provided by the CFCA is used by the default. I also provide an MD5 algorithm for the MD5 algorithm, taking into account the interoperability requirements of other applications, considering the interoperability requirements of other applications. If the user uses the toolkit to develop, the MD5 algorithm is used without using the default algorithm. Immediately modify your own program, use the default SHA-1 algorithm to avoid the impact of MD5 defects. * Accessories: "Electronic Signature Law" and electronic signature technology to achieve electronic signature technical means there are many kinds, but currently more mature, e-signature technology in the world's advanced countries is also "digital signature" technology. Since maintaining technical neutrality is a basic principle to develop laws, there is currently no reason to illustrate public key cryptography is the only technology for making signatures, so the "Electronic Signature Law" has set a more general concept to meet the development of future technology. . However, the signature mentioned in the e-signature method is generally referred to as "digital signature". Moreover, currently, domestic and foreign, technical mature, actually used or based on PKI digital signature technology. As a public key infrastructure, PKI provides a variety of online security services, such as authentication, data confidentiality, data integrity, and undenny. Among them, digital signature technology is used. The whole process of digital signatures is divided into two parts, namely the signature and verification. The principle of digital signature and verification process and technical implementation is shown in the figure. Digital Signature Principle Refer to the Digital Signature Process of the Digital Signature Process by Digital Signature Process: The left side is the signature, the right side is the verification process. That is, the originator obtains the original text with the hash algorithm, encrypts the digital signature with the signature private key, and send the original text to the acceptor with the digital signature; the collection verification signature, that is, the public key Decipher the digital signature, draw a number summary; the closing will use the same hash algorithm to have a new digital summary, compare two digital summary, if the two matches, indicating that the digital signature has been successfully transmitted.
