The US Cyber command, a new … er … entity in the US that, er … will protect us … somehow … has an interesting seal. On that seal is a “cipher” of some sort.
Well that “cipher”, 9ec4c12949a4f31474f299058ce2b22a appears around the inner ring of the seal.
Wired noticed this and had a contest to de-cipher it.
The Register noticed this, and, as all deep techies might say, ya know, it looks a heckuva lot like an md5 hash of something. Well, they figured it out. It is an md5 hash of the Cyber command mission statement.
Everyone feels good right now … mysterious cipher solved.
But … I would expect … no … I would demand … that the Cyber corps know, beyond a shadow of a doubt, that md5 hashes shouldn’t be trusted.
MD5 was designed by Ron Rivest in 1991 to replace an earlier hash function, MD4. In 1996, a flaw was found with the design of MD5. While it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1 (which has since been found also to be vulnerable). In 2004, more serious flaws were discovered, making further use of the algorithm for security purposes questionable. In 2007 a group of researchers described how to create a pair of files that share the same MD5 checksum. In an attack on MD5 published in December 2008, a group of researchers used this technique to fake SSL certificate validity. US-CERT of the U. S. Department of Homeland Security said MD5 “should be considered cryptographically broken and unsuitable for further use,” and most U.S. government applications will be required to move to the SHA-2 family of hash functions after 2010.
Um …. HELLO? Anyone there? Using a hash that the government specifically indicates should not be used … on your seal? Exactly what is it you are telling us?
I hope that the techies in the Cyber command were yelling at the folks building the seal logo, so that at least somewhere … somewhere … there is a record (likely clearance required) that says “hey, we aren’t advertising open barn doors, are we?”
This one … yeah … its as bad as the “Office of the President Elect”. Possibly worse, as the OPE was simply farcical; this could signal something far more dangerous … people in high places making important decisions without an adequate understanding of the decisions, or the impact upon the country of such decisions.
Why not use an unbroken hash? Or better yet, as many hashes will eventually be broken given sufficient computing power, why not leave it off entirely?
I won’t start speculating about “whats next” from this group. Lets hope that seal v2.0 makes its appearance with the hash gone from the interior ring.