Re: which hash function is secure?

newstome_at_comcast.net
Date: 06/01/05 

Date: Tue, 31 May 2005 20:32:08 -0500

Icebreaker <srimadhava@gmail.com> wrote:
> Well as for your question on SHA-1 , here is an excerpt from
> cryptogram.
>
> ====
> SHA-1 has been broken. Not a reduced-round version. Not a simplified
> version. The real thing.
>
> The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu
> (mostly from Shandong University in China) have been quietly
> circulating a paper describing their results:
>
> collisions in the full SHA-1 in 2**69 hash operations, much less
> than
> the brute-force attack of 2**80 operations based on the hash length.
>
> collisions in SHA-0 in 2**39 operations.
>
> collisions in 58-round SHA-1 in 2**33 operations.
>
> This attack builds on previous attacks on SHA-0 and SHA-1, and is a
> major, major cryptanalytic result: the first attack faster than
> brute-force against SHA-1.

It's important to remember, however, that even with this weakness,
SHA-1 is still more secure than MD5 would have been if it had been
perfect. And people weren't too terribly concerned about MD5 before
the weakness was discovered in it (not too much, anyway).

I wouldn't use MD5 for any new project today. The break was for
finding a pair of colliding inputs, which doesn't affect all uses (or
even the majority of uses) of MD5, but it was a significant enough
break where I don't have much confidence in MD5 any more.

SHA-1 still seems reasonably OK, but I'd seriously consider moving to
something else for new designs. The only problem with SHA-256, for
example, is that it's a huge hash. If you can afford to transmit 32
bytes of digest, then it's a good choice. But I'm not sure I'd want
to do that for, say, a MAC that's added to every packet I transmit.

Which makes me wonder this: What if you just took the first 160 (or
even 128) bits of SHA-2 as your hash? Would that be a reasonable hash
function? Better than using SHA-1 for 160 bits? 

-- 
That's News To Me!
newstome@comcast.net

Relevant Pages

  • [Newbie] Advice needed regarding SHA0 SHA1 MD5
    ... SHA-1 has been broken. ... than the brute-force attack of 2**80 operations based on the hash length. ... This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, ... We wondered if storing passwords hashed as MD5 was safe. ...
    (sci.crypt)
  • Re: Rand generator (MD5)
    ... My micro cannot handle anything more than 32 bits! ... YOu do not have MD5. ... It does not sound to me like your hash implimentation is very ... void byteReverse(unsigned char *buf, unsigned longs); ...
    (sci.crypt)
  • Re: Rand generator (MD5)
    ... My micro cannot handle anything more than 32 bits! ... YOu do not have MD5. ... It does not sound to me like your hash implimentation is very ... void byteReverse(unsigned char *buf, unsigned longs); ...
    (sci.crypt)
  • Re: "Collision for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD"
    ... this was the Year of Doom for cryptographic hash functions. ... These go into great detail on the SHA-0 and MD5 collisions ... Difficulty in the former is called "collision resistance", ... you probably meant to say was "I can find a *different* string whose ...
    (comp.os.linux.security)
  • Re: Possibility to cheat integrity checking?
    ... No. Weaknesses have been found. ... I won't claim that you're -wrong- for continuing to use MD5 for file ... as a secure hash function. ... >criteria's for AES is that the cipher should be easily useable as a ...
    (Focus-IDS)