Slashdot Mirror

← Back to Stories (view on slashdot.org)

SHA-1 Broken

Posted by timothy on from the sha-na-na dept.

Nanolith writes "From Bruce Schneier's weblog: 'SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper announcing their results...'" Note, though, that Schneier also writes "The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team."

4 of 751 comments (clear)

  1. Re:Info on what exactly SHA-1 is ... by interiot · · Score: 5, Interesting

    So SHA-1 was created by the NSA, and was broken nine years after it was released. Is there any chance that the NSA knew it had a secret weakness, and promoted it for that specific reason?

  2. So what's the big deal for the rest of us? by beaststwo · · Score: 5, Interesting
    I've been reading about hash collisions for the last few years and haven't figured out why this is a crisis problem.

    I'm not a cryptographer, just a nerdy engineer, but let me explain my rationale: a hash algorithm takes an arbitrary message and generates a fixed-length signature that has a high probability (10**50 or better for most modern algorithms) of being the original.

    Let's assume that your hash algorithm generates a 128-bit hash. Anyone who knows anything about probability can see that is the original message is greater than 128 bits, there MUST be more than one message that will generate the same hash. For long messages, there may be thousands or millions of messages out of a filed of 10**50 (or better) that have the same hash, although many of them will be meaningless garbage.

    So SHA-1 has been broken by a group of cryptographers/mathematicians. Does this really mean that they can generate can alter any message in a way that will generate the same hash as the original, thus fooling the math that we use to validate content? No Way! I read Bruce Scheier's Cryptogram every month and he often makes the same argument.

    So yes, this means that from a long-term systems security standpoint, we should all move to stronger hashes. Does it mean that SHA-1-based transactions are inherently secure right now?

    I think not!

  3. Unfortunately the SHA series seems to be suspect by jd · · Score: 5, Interesting
    The Hashing Function Lounge lists other problems with the SHA functions:


    • (R04) V. Rijmen, "Update on SHA-1", accepted for CT-RSA'2005
    • P. Hawkes, M. Paddon, G. G. Rose, "On Corrective Patterns for the SHA-2 Family", Cryptology ePrint Archive, Report 2004/207


    If this definite break is confirmed, I think we will need to conclude that the entire family is suspect for any genuinely important purpose.


    There are a bunch of hashing algorithms on the Hashing Function Lounge that are listed as having no known attacks. At present, the most widespread is Whirlpool. I think it likely that one of these will replace SHA as the hashing function of choice in major cryptographic areas.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  4. Re:Info on what exactly SHA-1 is ... by Ninja+Programmer · · Score: 5, Interesting
    DES had a weakness nobody but the NSA knew about, so they recommended changes to it without saying the reasons for them. years later an attack was found against DES, but the NSA changes prevented it from being useful. Why would they change their tune to SHA-1?


    You know, of course, that the NSA did the same thing with SHA right? The original algorithm submitted was SHA-0, then the NSA recommended an unexplained minor change.

    Last August SHA-0 was broken, so their tweak appears to have added about 6 months of extra life for SHA-1.