Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

SHA-1 Broken

Posted by timothy on Tue Feb 15, 2005 10:25 PM
from the sha-na-na dept.
Encryption Security IT
Nanolith writes "From Bruce Schneier's weblog: 'SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper announcing their results...'" Note, though, that Schneier also writes "The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

SHA-1 Broken 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Sigh (Score:5, Funny)

    by Anonymous Coward on Tuesday February 15 2005, @10:26PM (#11685458)
    And I just got done upgrading from MD5.

    • Re:Sigh (Score:5, Funny)

      by dasunt (249686) on Tuesday February 15 2005, @10:34PM (#11685544)

      About a month ago, I needed a mechanism for password hashes.

      After some research, I decided that SHA1 was more secure than MD5.

      So I hunted down some good public domain SHA1 code, read through it, and added it to my code.

      Thanks /.!

      • Not a problem (yet) (Score:5, Informative)

        by Spy Hunter (317220) on Tuesday February 15 2005, @10:52PM (#11685701) Journal
        For password hashes this attack shouldn't be a problem, if it is as described in the article. The attack does only one thing: allows an attacker to generate two streams of data which hash to the same value. This is a problem for digital signatures, because somebody can sign one data stream, then distribute another with the same signature. So the signature doesn't guarantee the data has not been modified. However, this attack does not allow an attacker to magically deduce your password from its hash, or even generate another password that would hash to the same value as yours. So you don't need to immediately jump up and replace SHA-1 wherever you use it.

        OTOH, this attack indicates that other types of attacks may be found sooner than was previously thought. So it is still a good idea to move away from SHA-1 in the medium to long term. Though it's not entirely clear what you should move to. And it is not certain that more attacks will be found soon.

  • Info on what exactly SHA-1 is ... (Score:5, Informative)

    by Hulkster (722642) on Tuesday February 15 2005, @10:27PM (#11685462) Homepage
    For those interested, here is the actual detailed/lengthy FIPS PUB 180-1 from NIST, [nist.gov] as typical, Wikipedia has a nice summary, [wikipedia.org] and the W3 Folks [w3.org] have a short snippet ...

    • Re:Info on what exactly SHA-1 is ... (Score:5, Interesting)

      by interiot (50685) on Tuesday February 15 2005, @10:34PM (#11685541) Homepage
      So SHA-1 was created by the NSA, and was broken nine years after it was released. Is there any chance that the NSA knew it had a secret weakness, and promoted it for that specific reason?

      • Re:Info on what exactly SHA-1 is ... (Score:5, Interesting)

        by OverlordQ (264228) on Tuesday February 15 2005, @11:16PM (#11685843) Journal
        DES had a weakness nobody but the NSA knew about, so they recommended changes to it without saying the reasons for them. years later an attack was found against DES, but the NSA changes prevented it from being useful. Why would they change their tune to SHA-1?

      • Re:Info on what exactly SHA-1 is ... (Score:5, Interesting)

        by pchan- (118053) on Tuesday February 15 2005, @11:26PM (#11685915) Journal
        So SHA-1 was created by the NSA, and was broken nine years after it was released. Is there any chance that the NSA knew it had a secret weakness, and promoted it for that specific reason?

        I don't know about this, but when SHA (the Secure Hash Algorithm) was submitted as an approved algorithm for government use, the NSA reviewed it and suggested a minor change. That modified algorithm is what we now know as SHA-1. It was a few years before public-sector cryptographers caught on to what the significance of the changes was (I wish I could explain it, but it is beyond me).

      • Re:Info on what exactly SHA-1 is ... (Score:5, Insightful)

        by ftobin (48814) * on Tuesday February 15 2005, @11:38PM (#11685992) Homepage
        SHA-1 is not used for encryption, it is used for message authentication. Part of the NSA's mandate is to secure government traffic; it would gain little from promoting a broken digest algorithm. It arguably might have an interest in promoting a broken encryption algorithm, but SHA-1 is used for digital signatures.

        • Re:Info on what exactly SHA-1 is ... (Score:5, Insightful)

          by Anonymous Coward on Tuesday February 15 2005, @10:52PM (#11685700)
          Any encryption scheme that lasts about 10 years has given a pretty good service I would think.
          SHA-1 is not an encryption scheme, it's a cryptographic one-way hash function.

          There's a significant difference.

  • Prison. (Score:5, Funny)

    by Seumas (6865) on Tuesday February 15 2005, @10:29PM (#11685496)
    A lot of companies and products use SHA1 in some form or another. Does this mean that we can arrest and imprison these "researchers" if they ever step foot in America?

  • Time to start a panic (Score:5, Funny)

    by psetzer (714543) on Tuesday February 15 2005, @10:29PM (#11685500)
    If you don't switch to the newest, latest hashing algorithm, you will die horribly when your corrupted emacs RPM performs malicious code!!! Everyone, delete everything and log off of the Internets now!!! We're all gonna die!!! HELP!!!

  • Brought to You By (Score:5, Informative)

    by z0ink (572154) on Tuesday February 15 2005, @10:29PM (#11685504)
    Same group of people that found the MD5 Hash Collision. Self [slashdot.org] references [slashdot.org] and the MD5 paper [iacr.org].

  • US Secure Hash Algorithm 1 (Score:5, Informative)

    by NEOtaku17 (679902) on Tuesday February 15 2005, @10:32PM (#11685532) Homepage

    SHA-1 Hash Algorithm [ietf.org] and Source Code [cr0.net].

  • Bittorrent? (Score:5, Interesting)

    by oman_ (147713) on Tuesday February 15 2005, @10:35PM (#11685562) Homepage
    Is it time to update bittorrent?
    How hard is it going to be for people to provide garbage data with correct SHA-1 hashes to screw up downloads?

  • Broken, but not for everything... (Score:5, Insightful)

    by JM (18663) on Tuesday February 15 2005, @10:39PM (#11685599) Homepage
    One collision in 2**69 operations... that's quite minimal...

    Sure, for signatures, it means that you can't trust the algorithm 100% anymore.

    But for storing passwords, and other operations where collisions are not important, it doesn't matter much, even if there's another password that can generate the same hash, you still need to brute-force it.

  • So what's the big deal for the rest of us? (Score:5, Interesting)

    by beaststwo (806402) on Tuesday February 15 2005, @10:42PM (#11685615)
    I've been reading about hash collisions for the last few years and haven't figured out why this is a crisis problem.

    I'm not a cryptographer, just a nerdy engineer, but let me explain my rationale: a hash algorithm takes an arbitrary message and generates a fixed-length signature that has a high probability (10**50 or better for most modern algorithms) of being the original.

    Let's assume that your hash algorithm generates a 128-bit hash. Anyone who knows anything about probability can see that is the original message is greater than 128 bits, there MUST be more than one message that will generate the same hash. For long messages, there may be thousands or millions of messages out of a filed of 10**50 (or better) that have the same hash, although many of them will be meaningless garbage.

    So SHA-1 has been broken by a group of cryptographers/mathematicians. Does this really mean that they can generate can alter any message in a way that will generate the same hash as the original, thus fooling the math that we use to validate content? No Way! I read Bruce Scheier's Cryptogram every month and he often makes the same argument.

    So yes, this means that from a long-term systems security standpoint, we should all move to stronger hashes. Does it mean that SHA-1-based transactions are inherently secure right now?

    I think not!

    • Re:So what's the big deal for the rest of us? (Score:5, Insightful)

      by iabervon (1971) on Tuesday February 15 2005, @11:35PM (#11685970) Homepage Journal
      It is still probably difficult (hard to say without looking at the paper) for someone to find a different document with the same hash as a document you create, but it's now not all that hard to find a pair of documents with the same hash. Someone could give you a document to sign, and get your signature on a different document. Also, IIRC for previous work by this group, the attack applies to chosen pairs of documents with sufficient "random" padding; you can search for a padding for each to generate a hash collision.

      Essentially, don't sign anything that someone else has given you without changing it in some way, or your signature might also apply to some other document they have chosen.
  • The Hashing Function Lounge [terra.com.br] lists other problems with the SHA functions:


    • (R04) V. Rijmen, "Update on SHA-1", accepted for CT-RSA'2005
    • P. Hawkes, M. Paddon, G. G. Rose, "On Corrective Patterns for the SHA-2 Family", Cryptology ePrint Archive, Report 2004/207 [iacr.org]


    If this definite break is confirmed, I think we will need to conclude that the entire family is suspect for any genuinely important purpose.


    There are a bunch of hashing algorithms on the Hashing Function Lounge that are listed as having no known attacks. At present, the most widespread is Whirlpool. I think it likely that one of these will replace SHA as the hashing function of choice in major cryptographic areas.

    • Re:Well (Score:5, Informative)

      by Anthony Liguori (820979) on Tuesday February 15 2005, @11:05PM (#11685786) Homepage
      Had to happen, didn't it?

      No algorithm is all-powerful - it only withstands attacks for so long.

      No, it didn't. In fact, this is the most important problem in CS. The theory is that there are certainly problems where checking a solution is easy (2 and 3 are unique factors of 6 because it's easy to see that 2*3 == 6) but where the only possible way to find the solution given the answer is to compute the solution for every possible answer.

      It's not been proven whether hashing is this type of problem (whether it's NP-complete). Moreover, it's never been proven that there isn't a solution for problems we think are NP.

      What's more, it *has* been proven that once we find a solution to an NP-complete problem we'll instantly have solutions for *every* NP-complete problem.

      • Re:Yeah... (Score:5, Informative)

        by Ctrl-Z (28806) <tim@timcoleman.RABBITcom minus herbivore> on Tuesday February 15 2005, @10:46PM (#11685650) Homepage Journal
        Well, no. Not exactly. SHA-1 is supposed to be a one-way function, meaning that you can't just reverse the operation. So you can't just "crack" it like solving an equation.

        I'm not sure if you are talking about retrieving the original file from the hash, but if you are, then you don't understand what hash functions are for. In this case, there are an infinite number of combinations of bytes that have the same SHA-1 hash. The goal is to find one that has the same hash value, regardless of whether it is actually the same file. SHA-1 is not a cipher.

    • Re:Damn it (Score:5, Informative)

      by psetzer (714543) on Tuesday February 15 2005, @11:00PM (#11685754)
      It's still not really practically breakable unless this is something bigger than what I'm guessing. SHA-0 was broken a few months ago, and MD5 a while before that. What does it mean for you? Not much.

      Some attacker would have to be REALLY dedicated to use this vulnerability to harm you, and they would still require hideous amounts of processor time to mount an effective attack. Digests are a quick and easy way to verify that some message or file is correct. If the hash is signed as well, then you can verify the sender, too. When you download something like a Linux ISO, there is often another file on the server containing the hashes of the files, so you can verify that everything downloaded correctly. If you want to make sure that nobody other than a trusted person modified the files, then that trusted person could encrypt the digest with their private key, allowing anybody with their public key to verify that everything's correct.

      A person can, with a broken hash, create another ISO file, perhaps with malicious code inserted, that has the same digest, meaning you can no longer trust the signed digest. Let's say that this vulnerability reduces the average time needed to find a collision from 2^48 tries via the Birthday paradox (If this isn't a 96-bit hash, then I really need to get more sleep) to 2^32 tries. That's over 65,000 times faster, but you know why I'm not worried? That's still over 4,000,000,000 ISO files that the attacker would have to try before hitting on one that's got the wanted characteristics and the correct digest to boot, and if it requires equivalent memory usage to its time usage, then I'd expect it to use at least 48 gigabytes of memory to store all of the previous attempted hashes. If it takes 15 seconds to compute one digest, then you're looking at a mere 2,000 processor years to find a vulnerability, compared to the much more comfortable 130,000,000 processor years that it would have required using the brute force method.

      Feel better now? If I really got mixed up, and was wrong about the size, then just multiply all the listed times by 2^32, and wake me in 8 trillion AD.

      • Re:Hmm (Score:5, Informative)

        by infiniti99 (219973) <justin@affinix.com> on Tuesday February 15 2005, @11:10PM (#11685805) Homepage
        sha1 and md5 are generally considered so weak that they should only be used to combat error or accidents, not fraud.

        Not true. SHA-1 is the hashing algorithm of practically all common security standards. It's found in SSL/TLS, X.509, PGP (the protocol, not the program, so that means GPG also!), S/MIME, etc. In other words... everything. Replacing this is going to suck. :(

    • Re:May be a big deal... (Score:5, Informative)

      by ajs (35943) <ajs&ajs,com> on Tuesday February 15 2005, @11:19PM (#11685868) Homepage Journal
      if I understand correctly, SHA-1 is a similiar algorithm to MD5, which is commonly used to uniquely identify files

      You do not quite understand correctly. MD5 and SHA-1 are hashing algorithms, and as such it is expected (and accepted) that there are collisions. That is, you might find that your /etc/passwd and /bin/ls files have the same MD5 hash. The value in MD5 and other such hashes is that the probability of that happening is so remote that as a first approximation, comparing hashes is just as good as comparing files.

      That is, you can either keep a backup copy of your filesystem to compare against or you can keep a list of hashes, and mathematically, all this "break" has demonstrated is that the chances are 1:590295810358705651712 not 1:1208925819614629174706176 of a collision. In other words, don't lose sleep.

      Now, for secure cryptographic signatures, the implications are much more unpleasant. It's not the end of the world, but this is that big red light that says: switch to SHA-512 (or something equally secure) ASAP!

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.