SHA-1 cracked
Joseph Ashwood
ashwood at msn.com
Thu Feb 17 00:15:32 EST 2005
----- Original Message -----
From: "Steven M. Bellovin" <smb at cs.columbia.edu>
Subject: SHA-1 cracked
> It's probably not a practical
> threat today, since it takes 2^69 operations to do it
I will argue that the threat is realizable today, and highly practical. It
is well documented that in 1998 RSA Security's DES Challenge II was broken
in 72 hours by $250,000 worth of custom machine. Scale this forward to
today, and $500,000 worth of custom equipment and 2^69 is not out of reach
for 3 days worth of work. So assuming that your attackers are smallish
businesses, you have 3 days of security, and large businesses with a vested
interest in breaking your security you are looking at minutes if not seconds
before break.
While most uses of SHA-1 actually end up searching for collisions against
fixed outputs (e.g. given A find B such that A<>B and SHA1(A) == SHA1(B)),
this attack does not immediately cause the collapse of all e-commerce
This attack means that we need to begin the process for a quick and painless
retirement of SHA-1 in favor of SHA-256/384/512 in the immediate future and
begin further preparations to move to Whirlpool and other hashes in the near
future. I say this because with MD5 completely broken, SHA-0 effectively
completely broken, and SHA-1 showing big cracks, the entire SHA series is in
doubt, and needs to be heavily reconsidered, otherwise we're looking at a
continuing failure of hash functions apparently in a yearly fashion until we
run out of the SHA series.
Joe
Trust Laboratories
Changing Software Development
http://www.trustlaboratories.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list