Hi everybody: Bruce Schneier said it best on his blog (dated 18 Feb 2005): ============================================================================== Earlier this week, three Chinese cryptographers showed that SHA-1 is not collision-free. That is, they developed an algorithm for finding collisions faster than brute force.
SHA-1 produces a 160-bit hash. That is, every message hashes down to a 160-bit number. Given that there are an infinite number of messages that hash to each possible value, there are an infinite number of possible collisions. But because the number of possible hashes is so large, the odds of finding one by chance is negligibly small (one in 2^80, to be exact). If you hashed 2^80 random messages, you'd find one pair that hashed to the same value. That's the "brute force" way of finding collisions, and it depends solely on the length of the hash value. "Breaking" the hash function means being able to find collisions faster than that. And that's what the Chinese did. They can find collisions in SHA-1 in 2^69 calculations, about 2,000 times faster than brute force. Right now, that is just on the far edge of feasibility with current technology. ... For the average Internet user, this news is not a cause for panic. No one is going to be breaking digital signatures or reading encrypted messages anytime soon. The electronic world is no less secure after these announcements than it was before. ============================================================================== Basically SHA1 is broken in the mathematical sense in that the Chinese cryptographers developed a method to find SHA1 collisions in only 2^69 calculations on average, which is 2048 times faster than the brute force method of finding it in 2^80 calculation. So we are only taking about 3 orders of magnitude decrease in finding SHA1 collisions compared to brute force. Of course, having a method in 2^69 calculations that find a second message that has the same SHA1 hash as a first message does not mean that the second message would be of any use to an attacker/forger. Although this work is brilliant, it does not mean that at this point that digital signatures, certificates, and SSL/TLS handshaking that use SHA1 hashing is no longer secure. Additional SHA1 compromises would be needed to be found before attackers/ forgers have a method to generate useful messages that have the same SHA1 message as a known message. So we are safe for now against having attackers/ forgers having a method of generating blocks of data that can be added to a message so that it SHA1 hashes to a know message. But there is an old saying inside the NSA: "Attacks always get better; they never get worse.". So although digital signatures, certificates, and SSL/TLS handshaking using SHA1 hashing are still secure for now, it is time to find and use better hashing algorithms that do not have the vulnerabilities that MD* & SHA* have. Alicia. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
