Security Basics mailing list archives
Re: sha-1 cryptography
From: Bennett Todd <bet () rahul net>
Date: Fri, 23 Dec 2005 15:04:49 +0000
2005-12-20T18:37:20 Enquiries:
I understand that SHA-1 cryptography has been broken [...]
It was broken according to part of the strict definition of a crypto hash: there's an attack that can find a pair of inputs that collide in something less than order of 2**80 tries. I forget the exact savings the current attack achieves, but I think it's still big enough that nobody's demonstrated an actual collision. And if they do, this only affects some, not all applications. Current apps using SHA-1 aren't vulnerable, yet. All new protocol designs should include pluggable hash protocols, to make it easy to upgrade, and the default for new designs should be one of the SHA-2 family, I'm using SHA-256. Some constructions are still safe, and expect to remain safe, even with MD5 for which actual collisions have been demonstrated; e.g. HMAC isn't busted. And passwd hashing with MD5 isn't busted yet; the current attacks don't help in finding an input text that matches a fixed hash, only in finding an arbitrary pair that collide. But as the saying goes, it never gets harder to bust a partially-attacked algorithm, only easier. -Bennett
Attachment:
_bin
Description:
Current thread:
- sha-1 cryptography Enquiries (Dec 21)
- Re: sha-1 cryptography Marcos Marado (Dec 26)
- RE: sha-1 cryptography David Gillett (Dec 26)
- Re: sha-1 cryptography Bennett Todd (Dec 26)
- Re: sha-1 cryptography Saqib Ali (Dec 26)
- <Possible follow-ups>
- RE: sha-1 cryptography Zachary Richmond (Dec 26)