TMCnet News

PGP Corporation Executes Migration to Stronger SHA Algorithm; PGP Desktop and PGP Universal to Offer Multiple Authentication Options
[February 18, 2005]

PGP Corporation Executes Migration to Stronger SHA Algorithm; PGP Desktop and PGP Universal to Offer Multiple Authentication Options

PALO ALTO, Calif. --(Business Wire)-- Feb. 18, 2005 -- PGP Corporation, a global leader in enterprise encryption solutions, today announced it is planning to migrate to a more secure version of the Secure Hash Algorithm (SHA) in the upcoming releases of its PGP(R) Desktop and PGP(R) Universal encryption solutions. According to a report released this week by a team at Shandong University in China, the SHA-1 algorithm that supports the digital signatures used in popular SSL browser security and encryption can be successfully attacked. The same team helped break MD5, another commonly used cryptographic hash algorithm, in August 2004.

"Although we haven't yet seen the research paper, we have no doubt the group was successful because we've seen their work before," said Jon Callas, CTO & CSO of PGP Corporation.

"It's a real attack, although still at the far edge of feasibility with current technology," confirmed Bruce Schneier, CTO of Counterpane Internet Security Inc. and a member of the PGP Technology Advisory Board.

According to Callas, "We've been planning for just this sort of event for some time." All PGP products are architected to allow for rapid and non-disruptive migration of all encryption, hash, compression, and signature algorithms. PGP Corporation began planning the migration to more secure hash algorithms after MD5 was compromised last year. Callas addressed the company's design philosophy in a September 2004 CTO Corner article entitled "Much ado about hash functions" At the same time, PGP engineers began implementing a shift from SHA-1 to the stronger algorithms (SHA-256 and SHA-512) while preserving interoperability with existing software. The upcoming releases of PGP Desktop and PGP Universal will allow users to select from a broader range of authentication options.

"The work done by the University of Shandong team is in the finest tradition of cryptoanalytic peer review," said Callas. "The best minds continually review existing algorithms, identify issues that need to be addressed, and the entire community of vendors and users benefits. We will continue to monitor the cryptographic integrity of the algorithms used in PGP products and upgrade them as required to provide our customers with the most secure information security solutions available."

About PGP Corporation

Recognized worldwide as a leader in enterprise encryption technology, PGP Corporation develops, markets, and supports products used by more than 30,000 enterprises, businesses, and governments worldwide, including 90% of the Fortune 100 and 75% of the Forbes International 100. PGP products are also used by thousands of individuals and cryptography experts to secure proprietary and confidential information.

During the past ten years, PGP(R) technology has earned a global reputation for standards-based, trusted security products. PGP Corporation is the only commercial security vendor to publish source code for peer review. The unique PGP encryption product suite includes PGP Universal -- an automatic, self-managing, network-based solution for enterprises -- as well as desktop, mobile, disk, and FTP/batch transfer solutions. Contact PGP Corporation at or 650-319-9000.

PGP is a registered trademark and the PGP logo is a trademark of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.

[ Back To's Homepage ]