SHA-1 cracked

[Dan Kaminsky]

>
> No, that's not what it says. It says that "Note that padding rules
> were not applied to the message." This is exactly the same as the
> previous breaks; it just means that the collision appears in the
> chaining output... if you just append anything at all to the end of
> the texts, and pad it correctly, you will have valid SHA-1 hashes.
> Nothing different here than from the MD4/MD5/SHA-0 breaks.
>
As a couple people saw fit to remind me, arbitrary appending only works
if your two vectors are multiples of the blocksize.  Otherwise, the
padding gets shuffled into the colliding rounds.

If she's specifically saying padding is a problem, then her attack on
SHA-1 cannot adapt to arbitrary input sizes as well as her attack
against MD5.  IOW, she might only be able to create a collision between
two 689 bit files at present time.

> If you look at Phil Hawkes' paper
> <http://eprint.iacr.org/2004/207.pdf>, you will see that the SHA-2s
> are very different algorithms, and my own opinion is that the
> data-expansion part of the algorithm is *seriously* beefed up. My
> guess is that the NSA were already worried about this kind of attack
> (whether they'd found it or not). We don't have a good analysis of the
> data-expansion part, but I'm pretty sure that it'll defeat the Wang
> attacks.

The "word on the street" from Wang herself concurs with your
assessment...she said privately to a couple people that SHA-256/512 were
"seemingly outside of her reach".  Of course, the same people reported
she said "SHA-1 looked like it could be interesting."

It's worth pointing out that we won't know until Eurocrypt how --
precisely -- Wang's attack works.  Until then, it's premature to say
what Wang can and cannot defeat.

--Dan


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com