----- Original Message ----- From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
Subject: SHA-1 cracked

It's probably not a practical
threat today, since it takes 2^69 operations to do it

I will argue that the threat is realizable today, and highly practical. It is well documented that in 1998 RSA Security's DES Challenge II was broken in 72 hours by $250,000 worth of custom machine. Scale this forward to today, and $500,000 worth of custom equipment and 2^69 is not out of reach for 3 days worth of work. So assuming that your attackers are smallish businesses, you have 3 days of security, and large businesses with a vested interest in breaking your security you are looking at minutes if not seconds before break.

While most uses of SHA-1 actually end up searching for collisions against fixed outputs (e.g. given A find B such that A<>B and SHA1(A) == SHA1(B)), this attack does not immediately cause the collapse of all e-commerce

This attack means that we need to begin the process for a quick and painless retirement of SHA-1 in favor of SHA-256/384/512 in the immediate future and begin further preparations to move to Whirlpool and other hashes in the near future. I say this because with MD5 completely broken, SHA-0 effectively completely broken, and SHA-1 showing big cracks, the entire SHA series is in doubt, and needs to be heavily reconsidered, otherwise we're looking at a continuing failure of hash functions apparently in a yearly fashion until we run out of the SHA series.

Trust Laboratories
Changing Software Development

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to