SHA-1 Broken

Schneier Weblog ^ | 02-16-2005 | Bruce Schneier

[zeugma]

February 15, 2005

SHA-1 Broken

SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.

The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper describing their results:

• collisions in the the full SHA-1 in 2**69 hash operations, much less than the brute-force attack of 2**80 operations based on the hash length.

• collisions in SHA-0 in 2**39 operations.

• collisions in 58-round SHA-1 in 2**33 operations.

This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, major cryptanalytic result. It pretty much puts a bullet into SHA-1 as a hash function for digital signatures (although it doesn't affect applications such as HMAC where collisions aren't important).

The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team.

More details when I have them.

[rit]

Unlike others, I appreciate you posting this. Your average freeper will not likely understand the impact, and that is OK. It's like the person who owns a car and does no maintenance themselves... the just put gas in it and it goes.... People expect the net to work and the mechanics (the IT community) to fix whatever is wrong and move forward.

[PatriotCJC]

Does PKI use this?

[MindBender26]

>More details when I have them.

Can't want!

Live Long and Prosper

[Taylor42]

I thought we were talking about the Chinese space program...

[pghkevin]

Sha-Na-Na?

[JoeV1]

I thought SHA-0 and SHA-1 were kaput even back to their inception. The tripole phase cross delta inverters were proved impractical years ago.

Not in every case. When the cross delta inverters are first conjoined with an inverse wave capilator and then fed thru binary phase transducers, the effect is that of obviating the pre inductive plane generators usually necessary in this sort of operation.

[Mad Dawgg]

"I thought SHA-0 and SHA-1 were kaput even back to their inception. The tripole phase cross delta inverters were proved impractical years ago."

Well, I heard they are all obsolete because of the flux capacitor.

[One Proud Dad]

My family switched to the pig latin protocol this morning.

[dfwgator]

WE'RE DOOMED!!!

[Honor above all]

Is that like Sha-wing? Cause if my sha-wing is broken I can't see any reason to go on. Party on Garth.

[FoxPro]

Companies that use SHA-1 for deferential backups will be in big trouble if true. They will have to move on to MD5, what a huge hassle.

[BigDaddyTX]

Never put your elbow in your ear.

[FoxPro]

What does Windows use for its passwords?

[DainBramage]

How can one fathom such topics and still think of sex every 18 seconds?

[Sender]

Pre-inductive plane generators (PPG's) haven't been used for years, are you kidding? We're talking about an actual flaw in the hash algorithm. You assume it will always come out with more potatoes than corned beef, but obviously we were blinded in our false sense of security.

If this report is indeed true, we may be talking about the fallibility of the Benelux axiom itself.

[BigDaddyTX]

Who can tell me where this came from?

"Never go out in the rain with your socks on."

[The Real J Fate]

It's Carter's fault for withdrawing support! Now the evil Khomeini-666 algorithm will be taking over.

[ctdonath2]

Bump for interest.

While it's mostly babble to most people, cryptography is what makes a lot of our digital society possible (especially the "cashless society" aspect), and breaking major codes is of great concern.

[Petronski]

Me fail English? That's unpossible!

[Southack]

Just wait until they learn that RSA isn't secure, either. Suckers...