Chip Salzenberg <[EMAIL PROTECTED]> wrote: >> Similarly, we should avoid SHA-1 for any permanent purpose, though in >> the short term it's not quite dead yet. No one has demonstrated an >> ability to create SHA-1 collisions on demand (as far as I've heard, >> anyway), but SHA-1 is "a wounded fish in shark-infested waters"[*], and >> an MD5-scale failure may be just a matter of time.
My understanding is that the best attack on SHA-1 which can find two plaintexts with the same hash value in 2^63 operations. (Brute force for this is 2^80 operations; cryptographers consider 2^64 to be practical, although it'd still take tremendous resources to attack in any reasonable time.) The attacker has to control both plaintexts; he can't use this attack to find a collision for an existing plaintext. For an example attack, imagine that Parrot has a security scheme in which extra privileges are granted to code by signing a SHA-1 hash of the code with a particular key. (Public-key signing is so slow that hashes are always used with digital signatures.) This attack means that, in 2^63 operations, an attacker could generate two pieces of bytecode with the same hash value. If he could get one of them signed (say, the one that draws pictures of cute kittens on the screen), he could then attach its signature to the other one (say, the one that installs a rootkit and sends all your credit cards to Russia). Note, however, that the attacker needs to control *both* plaintexts. Finding a collision for bytecode in the standard libraries would still require a brute-force attack. Basically, SHA-1 isn't a problem for us yet, but it's looking weak. > I'm getting the feeling that the real lesson is that any hash header > system we build will require pluggable hash algorithms, because > anything we pick as strong today may be broken tomorrow (or in ten > years). >From what I've read, that was one of the conclusions of NIST's recent hash workshop. (The other is that cryptographers need to do a lot of theoretical work on hashing--they don't really know how to design a strong algorithm yet.) -- Brent 'Dax' Royal-Gordon <[EMAIL PROTECTED]> Perl and Parrot hacker
