Re: sha-1 cryptography

[Bennett Todd <bet () rahul net>]

2005-12-20T18:37:20 Enquiries:
> I understand that SHA-1 cryptography has been broken [...]

It was broken according to part of the strict definition of a crypto
hash: there's an attack that can find a pair of inputs that collide
in something less than order of 2**80 tries. I forget the exact
savings the current attack achieves, but I think it's still big
enough that nobody's demonstrated an actual collision. And if they
do, this only affects some, not all applications.

Current apps using SHA-1 aren't vulnerable, yet. All new protocol
designs should include pluggable hash protocols, to make it easy to
upgrade, and the default for new designs should be one of the SHA-2
family, I'm using SHA-256.

Some constructions are still safe, and expect to remain safe, even
with MD5 for which actual collisions have been demonstrated; e.g.
HMAC isn't busted. And passwd hashing with MD5 isn't busted yet; the
current attacks don't help in finding an input text that matches a
fixed hash, only in finding an arbitrary pair that collide.

But as the saying goes, it never gets harder to bust a
partially-attacked algorithm, only easier.

-Bennett

Attachment: _bin
Description: