SHA-1 cracked

John Kelsey kelsey.j at ix.netcom.com
Thu Feb 17 09:57:16 EST 2005


>From: Joseph Ashwood <ashwood at msn.com>
>Sent: Feb 17, 2005 12:15 AM
>To: cryptography at metzdowd.com
>Subject: Re: SHA-1 cracked

>This attack means that we need to begin the process for a quick and painless 
>retirement of SHA-1 in favor of SHA-256/384/512 in the immediate future and 
>begin further preparations to move to Whirlpool and other hashes in the near 
>future. I say this because with MD5 completely broken, SHA-0 effectively 
>completely broken, and SHA-1 showing big cracks, the entire SHA series is in 
>doubt, and needs to be heavily reconsidered, otherwise we're looking at a 
>continuing failure of hash functions apparently in a yearly fashion until we 
>run out of the SHA series.

Yep.  The thing that's interesting here is that the more-or-less obvious fallbacks for SHA1 are RIPE-MD160 and SHA256/512.  But given the pile of bodies in front of Wang's door already (MD4,MD5, Haval, RIPE-MD, SHA0, SHA1), it's hard to have any confidence at all that RIPE-MD160 will survive long.  All the remaining SHA functions are the same, modulo some constants and the wordsize used--SHA512 is just SHA256 using 64-bit words, different constants, and a few more rounds.  So there's really only one SHA function left.  It's different enough from SHA1 that it's plausible Wang's attacks won't work, but I can't see any really strong reason to trust in that.  

Whirlpool looks like the best bet for a fallback right now,  but it really hasn't seen anything like the amount of analysis I'd like.   This is what it looks like when someone develops a new class of attack that breaks a whole bunch of your available cryptographic primitives in a big hurry.  


>                Joe

--John Kelsey

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list