Slashdot Mirror

← Back to Stories (view on slashdot.org)

SHA-256/384/512 Released

Posted by chrisd on from the no-not-that-kind-of-hash dept.

The Right Brute writes "It appears that the successors to the SHA-1 cryptographic digest algorithm have been released. FIPS 180-2 can be found here which I believe is the final version of the SHA-256/384/512 algorithm (it does not appear to have changed since the last draft). I have an implementation that I did as a CWEB literate programming example that might serve as a good companion to the specification."

2 of 22 comments (clear)

  1. Re:Algorithm Flaw by ChadN · · Score: 3, Insightful

    By truncating the final hash value, you are losing 128 bits of message digest. Now in theory I can therefore change the message content, so long as I ensure that the first 384 bits of the digest remain the same.

    To do this would require trying an impossible amount of random message texts, to find one that hashed the same. Each message (of whatever length) has approximatly a 2^(-384) chance of being the same specific hash output. That is about 39402006196394479212279040100143613805079739270465 44666794829340424572177149721061141426625488491564 0806627990306816 to 1 odds against, btw. These cryptographic hashes are attempts at making "one-way functions", such that knowing the output does NOT help in reconstructing the input )or finding an input that produces the same output). They are quite different than hash functions used in a hash table, for example.

    If you COULD do what you suggest (more easily than by trying 2^n calculations, for n>112, typically), than just about all cryptographic protocols in use today would probably crumble.

    But you are correct, a 384 bit hash that was truncated from 512 is almost certainly less secure, but still impossible to spoof unless a shortcut to brute force searching is ever found.

    SHA-1 is 160 bits, and considered more secure by design than MD5 (which is faster), but no one has even found any practical way to spoof MD5 messages (as far as I know).

    Your "corrupt" iso did not have same MD5 sum as the uncorrupted image, by any fluke. That is simply impossible. More likely there was something else going on.

    And yes, I do mean impossible... I'd bet ~2^120 dollars to your $10 on it (if I had it).

    --
    "It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
  2. Re:May not be patent-free by FattMattP · · Score: 3, Insightful
    And as far as that goes, I have no problem at all licensing algorithms for things like this. In many cases-- not all, but many-- your choices are (1) license-free or (2) secure, and the two are mutually exclusive.
    By your logic, it's the licensing that makes the algorithm secure. They are not mutually exclusive. There are algorithms such as Blowfish that are secure and patent and license free. I'm sure there are many others.
    --
    Prevent email address forgery. Publish SPF records for y