Slashdot Mirror


SHA-1 Broken

Nanolith writes "From Bruce Schneier's weblog: 'SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper announcing their results...'" Note, though, that Schneier also writes "The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team."

20 of 751 comments (clear)

  1. Sigh by Anonymous Coward · · Score: 5, Funny

    And I just got done upgrading from MD5.

    1. Re:Sigh by dasunt · · Score: 4, Funny

      About a month ago, I needed a mechanism for password hashes.

      After some research, I decided that SHA1 was more secure than MD5.

      So I hunted down some good public domain SHA1 code, read through it, and added it to my code.

      Thanks /.!

    2. Re:Sigh by Frymaster · · Score: 3, Funny
      -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

      A mechanism to find collisions does not affect SHA-1's strength as a password hashing algorithm or its use in a hashed message authentication code. So you'll be just fine.Z

      really? well, i'm not the real frymaster. what do you say to that?

      -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFCEsqV7Kzi+hL3je0RAl7iAJ41SsgjgwMvrS5+1OLLYp pYkXUPOgCgzSQS c42DLVAjebLYs2VTPkT/iIc= =8699 -----END PGP SIGNATURE-----

    3. Re:Sigh by B3ryllium · · Score: 4, Funny

      You do realize, of course, that the recent preponderance of IRC-controlled botnets and such could easily be applied to a computational challenge such as this?

      Imagine tens of thousands of way-overpowered virus-infected 3Ghz Dell machines chewing threw the data?

      Then imagine a beowulf cluster of those.

  2. Prison. by Seumas · · Score: 5, Funny

    A lot of companies and products use SHA1 in some form or another. Does this mean that we can arrest and imprison these "researchers" if they ever step foot in America?

  3. Oh great... by randori82 · · Score: 3, Funny

    Time to change the VPN policies

  4. Time to switch.... by Anonymous Coward · · Score: 4, Funny

    ... to SHA-2!

  5. Time to start a panic by psetzer · · Score: 4, Funny

    If you don't switch to the newest, latest hashing algorithm, you will die horribly when your corrupted emacs RPM performs malicious code!!! Everyone, delete everything and log off of the Internets now!!! We're all gonna die!!! HELP!!!

    --
    "Anyone who attempts to generate random numbers by deterministic means is living in a state of sin." -- John von Neumann
  6. I Can See Bruce Now.... by Alan+Hicks · · Score: 3, Funny

    Bruce sits at his desk, reading over the encrypted e-mail sent to him about breaking SHA-1, when a loud scream echoes from his office

    I JUST SENT OUT MY NEWSLETTER THIS MORNING!

    --
    Slackware, what else when it must be secure, stable, and easy?
  7. Re:Well... by all+your+mwbassguy+a · · Score: 5, Funny

    thank god ROT-13 will never be cracked.

  8. Re:Well... by Wavicle · · Score: 3, Funny

    I noticed using ROT-2 gave what looked like a kinda-close decryption of ROT-13. So I started trying ROT-3, then ROT-4, I got as far as ROT-12 before I got bored and gave up, but it was showing great promise!

    --
    Education is a better safeguard of liberty than a standing army.
    Edward Everett (1794 - 1865)
  9. Re:Well... by flatface · · Score: 5, Funny

    That's nothing. ROT-26 offers the best encryption as of yet!

  10. Re:Well... by tonsofpcs · · Score: 5, Funny

    I can't read your post, it seems to be encrypted in that new ROT-26 scheme.

  11. better yet-- by bodrell · · Score: 4, Funny

    What someone really ought to do is use ROT-7.5 twice to decrypt ROT-13.

    --
    Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
    1. Re:better yet-- by isometrick · · Score: 5, Funny

      7.5? 13? I'm guessing you aren't the one who broke SHA-1 ... :-p

    2. Re:better yet-- by SpaceLifeForm · · Score: 4, Funny

      Someone found that ROT-6.5 works better.

      --
      You are being MICROattacked, from various angles, in a SOFT manner.
  12. Re:Well... by Jugalator · · Score: 3, Funny

    I think ROT-65536 would work even better, especially for Unicode.

    --
    Beware: In C++, your friends can see your privates!
  13. Hah! by Hobbex · · Score: 4, Funny

    That is nothing. This post has been encrypted with an unbreakable one-time-pad! TWICE!

  14. Well whatever it is... by cmacb · · Score: 4, Funny

    I hope they get it fixed soon.

  15. unpublished paper reveals unspecified hole by snorklewacker · · Score: 3, Funny

    At least they gave the algorithm. If their synopsis is indicative of the paper, they illustrate that SHA-1 has collisions, and collisions can be discovered through the awesomely sophisticated technique of brute force. Pardon me while I dust off my bomb shelter.

    Let's wait for the actual paper. If it takes more CPU power to force a collision within a year than the whole of what IBM sells in that year, I think that the hash is doing its job...

    --
    I am no longer wasting my time with slashdot