SHA-1 Broken 751
Nanolith writes "From Bruce Schneier's weblog: 'SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper announcing their results...'" Note, though, that Schneier also writes "The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team."
Well (Score:1, Insightful)
No algorithm is all-powerful - it only withstands attacks for so long.
The strength of the algorithm lies in how long it can stand up - to attacks and to future technologies.
Re:Broken or not? (Score:2, Insightful)
It is when Bruce Schneir says so.
Re:Hmm (Score:3, Insightful)
Is it so hard to look it up? [wikipedia.org]
Re:Hmm (Score:1, Insightful)
Sure. SHA-1 is something you could and should look up, thereby gaining an answer more quickly, and not wasting the time of others in a techinical forum.
Next week: How to find the number for 911.
Re:Hmm (Score:2, Insightful)
Re:Sigh (Score:3, Insightful)
Maybe its easier to upgrade from SHA1 than it was from MD5.
Broken, but not for everything... (Score:5, Insightful)
Sure, for signatures, it means that you can't trust the algorithm 100% anymore.
But for storing passwords, and other operations where collisions are not important, it doesn't matter much, even if there's another password that can generate the same hash, you still need to brute-force it.
Comment removed (Score:3, Insightful)
Re:Broken, but not for everything... (Score:4, Insightful)
It's an assurance, that's all. The only guarantee is a one-time pad, and Bruce Schneier's website is full of info on why these aren't practical!
Re:And they scoffed at my continued reliance on MD (Score:4, Insightful)
Re:Info on what exactly SHA-1 is ... (Score:5, Insightful)
There's a significant difference.
Re:Unfortunately the SHA series seems to be suspec (Score:1, Insightful)
The thing I use these hash algorithms for the most is generating unique ID's without having to think about it too much. I don't believe I am alone either; I don't do a lot of cryptography. Still, I'd like to have a better understanding of the properties of each algorithm, and the class of activities it is good for. A chart along these lines would be neat: "algorithms good for file verification", "algorithms good for password hashing", " algorithms good for higher security needs".
If we start to think of hash algorithms in terms of functional classes, it will be easier to develop drop-in replacements for each of them (something we will need as algorithms keep getting bumped off of the "acceptable" list).
Re:Let me be the first to say... (Score:2, Insightful)
No. The composition of two compromized functions isn't going to solve anything.
Re:Info on what exactly SHA-1 is ... (Score:2, Insightful)
I don't think the NSA would gain a lot from a weakness in a secure hash algorithm. In an encryption algorithm, yes, but not a secure hash algorithm.
Re:Well (Score:3, Insightful)
That any algorithm is vulnerable to brute-force attacks is totally uninteresting. It's a given in cryptography that given encrypted data, you can try all the possible keys, or re-hash lots of data, until you find one that works. It's up to you to pick a key long enough that it will take anyone else an impractically long time to crack it.
Now, that has nothing to do with this article. These guys are alleging that SHA-1 can be defeated significantly faster than brute-force. This would be a defect in the algorithm and potentially a bad thing. So did this "have to happen"? No, absolutely not. Some algorithms are provably secure for certain purposes.
Re:Bittorrent? (Score:2, Insightful)
There, now it reads more like what will probably happen.
Re:So what's the big deal for the rest of us? (Score:5, Insightful)
Essentially, don't sign anything that someone else has given you without changing it in some way, or your signature might also apply to some other document they have chosen.
Is it that bad? (Score:4, Insightful)
In order for the time to be something to be concerned about (~10 years), you would need a machine capable of doing 1.87e12 hashing operations per second. Thats 1.87 TRILLION hashing operations per second.
Ah, but what about distributed computing?
Let's assume that there are 1 billion desktop computers working on this project. Then they must be able to do 1870 hashing operations per second. This is a ridiculously large number for today's implementations (mine gets 100 per second, most could do about twice that).
So is it bad? Somewhat. Further breaks could make it worse.
We should move away from SHA-1. But this isn't not the end of the world.
Re:Info on what exactly SHA-1 is ... (Score:5, Insightful)
Re:Not a problem (yet) (Score:5, Insightful)
Maybe you don't realise where he is coming from.
With a digital signature, you can easily have knowledge of the signed message (input to message digest function) and thus change the message while retaining the signature.
With a hashed password, you don't have access to the password (input to message digest function).
The hashed password would require figuring out the password so as to allow changing it to make the same hash. This requires going the wrong way against this one way hash algorithm. If you were able to do this, then you would not bother generating an equivalent password, because you would know the original.
I think the point is, that the one way nature of SHA-1 might still be strong. Meaning digital signatures are weak, but hashed passwords are not.
There is no logic flaw in his comment.
Re:Bittorrent? (Score:4, Insightful)
Judging from what's been said about how difficult it is to break SHA-1 even with this discovery, I would think it's fine for now, but a new hash should probably be included with BitTorrent2.
Re:Both statements are fine -- salt explained (Score:5, Insightful)
Re:Sigh (Score:5, Insightful)
Whirlpool paper: an eye opener. (Score:1, Insightful)
Anyway, you guys should check that paper out: This is a link to their page. [terra.com.br] Good stuff.
Something else that's nagging me about SHA-1 (and the other SHA family members). Call me paranoid or whatever you like, but we all know the NSA has had the best hardware on the planet for a long time, probably more than just a few razor sharp minds come through (money does talk from time to time), and well, it just does sit plausible with me that a 'perfect' hashing algorithm (or any other for that matter) would be released to the public by the NSA. Let 'em have this flawed one, see what they do with it, can they can break it, see if they break it, if they do, release the next in line of closer-but-not-the-real-deal algos. Just
Re:Info on what exactly SHA-1 is ... (Score:3, Insightful)
It's almost as if the man had a NYT Best seller creating mad-lib.
His Idea of character development is giving them a disability, or a tweed coat
Re:I'm still content with SHA-1 and DES (Score:1, Insightful)
There is technology public available now (FPGAs ) that makes it possible to crack DES today (in way less than 3 months computing time) if you spend the $15K on hardware...
Re:Info on what exactly SHA-1 is ... (Score:2, Insightful)
Melissa
Re:Well (Score:2, Insightful)
It's not been proven whether hashing is this type of problem (whether it's NP-complete). Moreover, it's never been proven that there isn't a solution for problems we think are NP.
What's more, it *has* been proven that once we find a solution to an NP-complete problem we'll instantly have solutions for *every* NP-complete problem.
Your example doesn't really make too much sense, and your definition of NP-complete is purely wrong. There are easily demonstrable problems that are not NP-complete where you have to compute the solution for every possible answer, because they are not even in NP to begin with. Example: "If I removed a city from a set of cities in the traveling salesman problem, which city removal would cause the largest reduction in the shortest path length?" In this problem, each possible "answer" (to use your terminology) is NP-complete, thus yielding a non-NP and therefore non-NP-complete solution (unless P==NP).
Furthermore, an NP-complete problem is not unsolvable as you state -- in fact, to be labeled as NP-complete, a solution has to be known. The solution must be formed in terms of a polynomial-time "reduction" from another NP-complete problem. To be NP-complete means merely that the only known solutions would require a non-deterministic "computer" to solve them in polynomial time. As we don't exactly have such machines sitting around, we have to rely on non-polynomial solutions.
Now if we can figure out a way to compute an NP-complete problem in deterministic polynomial time, then all NP-complete problems will be able to be solved in deterministic polynomial time (since all NP-complete problems are declared NP-complete by relating them to each other). But there was always a known solution.
Re:Time to switch.... (Score:1, Insightful)
Not quite. SHA-224 and SHA-256 are based on the same algorithm (with some very minor tweaks), and SHA-384 and SHA-512 are related to each other in the same way, but SHA-256 and SHA-512 aren't the same algorithms. Very close in many ways, but some major differences (just to throw out an obvious one, SHA-256 uses 32 bit operations internally, SHA-512 uses 64 bit operations).
And there is no key length here, as these are all hashes.
Question for you (Score:1, Insightful)
Re:So what's the big deal for the rest of us? (Score:3, Insightful)
Re:Hmm (Score:3, Insightful)
Do you have any evidence for that? SSL, PGP and NTLM all depend on them, as far as I know.
Re:Cryptographic break =/= practical break (Score:5, Insightful)
I might be paranoid but it wouldn't be inconceivably difficult for **AA to upload single blocks of corrupted data and destroy every torrent as it streams, they certainly have the resources.
Don't panic! 'Broken' is not Cracked (Score:5, Insightful)
MD5 was 'broken' in 1995 by Hans Dobbertin who discovered compressor function collisions. It was almost another 10 years before the compressor function collisions were turned into an attack which produced hash collisions.
So there is a serious security problem here but it does not mean that everything that uses SHA-1 is now vulnerable. There are many applications where MD5 is completely adequate. If you have a really good reason to do so and a really good understanding of the security requirements and risks you can use even something like MD2.
Today paul Kocher complained that Microsoft was using MD5 in its anti-spyware to identify known bad software. This is not actually a major problem, much worse would be using MD5 to identify known good software to keep, that is when a collision would bite. For known bad programs well i don't want any variant of the program to run...
But if you are writing an entirely new application then use SHA-256 or SHA-512, more rounds, more bits.
Meanwhile we need to research some new hash functions pronto.
Re:Cryptographic break =/= practical break (Score:3, Insightful)
they certainly have the resources.
No, they don't. Not unless (until?) the attack is improved significantly.
In the first place, the attack is a collision attack, not a pre-image attack. That means that it's still necessary to hash, on average 2^159 blocks to find a match to a given block in a given download. They can improve that by looking for a match to any block in a given download, and improve it further by looking to match any block in any download, but it's still going to be computationally infeasible. And I mean computationally infeasible for anyone, even someone with vastly more computing resources than the RIAA.
Second, even if it were a pre-image attack, it requires 2^69 hash operations to succeed. That's still a very large number. Even if they were searching for any of a million blocks in parallel (looking for one match out of a whole bunch of song blocks), and even if their machines could test a million per second, and they had a thousand machines working on it, they would still need on the order of 2^19 seconds per match found, which means they'd find one song per year that they could corrupt a portion of. That's a lot of expense for very little return.
And the attack doesn't allow it anyway.
Your warez and your pirated movies and music are safe.
Re:Don't panic! 'Broken' is not Cracked (Score:3, Insightful)
Differentials in SHA-256 can be found with the new techniques.
The problem is with the new differential attack our Chinese friends discoverd. Fidning differentials through addition mod 2^32.
SHA-256 uses the same. For now, yes, it's safe. But as of right now, the crypto community is hugerly trying to build new hashs with more complex compression function chaining. Whirlpool is an example of this newer view on hash functions.
It's based heavily on AES's core operations which would make me feel uneasy. Diversity in the underlying techniques for crypto algos is exemplified here by how just about every hash we use today fell because of a lack of diversity.
In short:
- Use SHA-256 for now.
- In 2-3 years, upgrade to whatever becomes the standard, it'll be stronger than SHA-256
Please define "broken" (Score:3, Insightful)