SHA-1 cracked
John Kelsey
kelsey.j at ix.netcom.com
Thu Feb 17 09:57:16 EST 2005
>From: Joseph Ashwood <ashwood at msn.com>
>Sent: Feb 17, 2005 12:15 AM
>To: cryptography at metzdowd.com
>Subject: Re: SHA-1 cracked
>This attack means that we need to begin the process for a quick and painless
>retirement of SHA-1 in favor of SHA-256/384/512 in the immediate future and
>begin further preparations to move to Whirlpool and other hashes in the near
>future. I say this because with MD5 completely broken, SHA-0 effectively
>completely broken, and SHA-1 showing big cracks, the entire SHA series is in
>doubt, and needs to be heavily reconsidered, otherwise we're looking at a
>continuing failure of hash functions apparently in a yearly fashion until we
>run out of the SHA series.
Yep. The thing that's interesting here is that the more-or-less obvious fallbacks for SHA1 are RIPE-MD160 and SHA256/512. But given the pile of bodies in front of Wang's door already (MD4,MD5, Haval, RIPE-MD, SHA0, SHA1), it's hard to have any confidence at all that RIPE-MD160 will survive long. All the remaining SHA functions are the same, modulo some constants and the wordsize used--SHA512 is just SHA256 using 64-bit words, different constants, and a few more rounds. So there's really only one SHA function left. It's different enough from SHA1 that it's plausible Wang's attacks won't work, but I can't see any really strong reason to trust in that.
Whirlpool looks like the best bet for a fallback right now, but it really hasn't seen anything like the amount of analysis I'd like. This is what it looks like when someone develops a new class of attack that breaks a whole bunch of your available cryptographic primitives in a big hurry.
> Joe
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list