intertwingly

It’s just data

SHA-1 "Broken"

Wed 16 Feb 2005 at 16:23

It has been nearly six months since the Collision in MD5 was found, and now the alert is being sounded that SHA1 is "broken".

To put this in perspective, what is being said is that while the original standard required over one septillion hash operations to find a collision, some researchers believe they have found a way to reduce this to under 600 quintillion hash operations. A 99.95% reduction.

At one hash operation per nanosecond, a collision can be found in less than twenty millennia. Clearly not quick enough to be able to intercept credit card transactions over the web, but closer to a point where a array of machines could attack a specific document.

I would presume that the bigger concern isn't that a given collision could be found within a matter of years, but that in the upcoming months and years that another 99.95% reduction will be found, and then another...

Thu 17 Feb 2005

Thanks for putting that in perspective, Sam.

I had skimmed over the original article, but never had a chance to read anything more in-depth about it. So I was starting to think that perhaps an interim measure might be to keep both MD5 and SHA hashes around for comparison.

It's good to realize that while it's less secure now, it's still not unreasonably so :)

Posted by Dougal Campbell at 19:17

Dougal, put another way: an uncracked MD5 gives you ~~128~~ 64 bits of protection. A "broken" SHA-1 gives you ~~160~~ 80 - 11 = ~~149~~ 69 bits of protection. That is still ~~2,097,152~~ 32 (2 ** 21 5) times more secure than MD5.

Update: the above was updated to reflect that this is a birthday paradox attack, i.e., one where somebody can find (or construct) two documents with the same hash. I have seen no reports that indicate that the ability of somebody to construct a hash with the same value as an existing document is in any way compromized by this reported discovery.

Posted by Sam Ruby at 20:27

Fri 18 Feb 2005

To be more specific, the new SHA-1 break only affects very carefully constructed messages. This means that it is completely useless for an attacker impersonating an existing message, unless that message was purposely constructed to be attackable. The attack is only useful if the attacker creates both messages, and the attacker can choose the exact format of both messages.

Posted by Paul Hoffman at 17:50

Sat 19 Feb 2005

SHA-1 broken

... [more]

Trackback from simon's ramblings

at 02:57

Mon 21 Feb 2005

SHA1 Broken?

SHA1 Broken? See here. [link] Here is a nice table of hash functions and attacks.[link]...

Excerpt from William's .Net Zone at 06:15

Tue 22 Feb 2005

Sam Ruby with one of the better write-ups on the impact of the SHA-1 break. Short and accurate....

Excerpt from del.icio.us/rtomayko at 06:15

Fri 25 Feb 2005

SHA-1 Less Roadworthy

The dust has hardly settled since last year’s reports of collisions in crypto hash functions including MD5. Now there are claims that SHA-1 is broken. There doesn’t seem any immediate cause for alarm, as Sam Ruby puts it: “At one...

Excerpt from The Grid Computing Blog at 21:15

Tue 25 Aug 2009

SHA-1 “Broken”

How bad is this? Can I still store passwords in SHA-1?

Posted by Net Toolbox - SHA-1 Generator at 15:20

Add your comment