MD5 and SHA cracked/broken...

[Paul Rubin]

mlh at furu.idi.ntnu.no (Magnus Lie Hetland) writes:
> Basically, at Crypto 2004 preliminary papers were presented that
> pointed out weaknesses in MD5, SHA-0 and SHA-1. As far as I can tell,
> MD5 is broken and SHA-1 seems to be in a precarious position (even
> though I don't know the details at all).

MD5 and SHA-0 had collisions found.  The attack works against about
half the rounds in SHA-1, but that's not anything to worry about
unless it can be extended.  I'd stop short of calling SHA-1 "precarious".

> Perhaps it would be appropriate to add a note, warning or "See also"
> to the library documentation for the md5 and sha modules?

Yes, certainly for md5.

> Does anyone understand enough crypto-speak to figure out how
> problematic this all is, and what applications should be avoided?

md5 should not be used in new applications.  That's been known for a
long time.  SHA-1 is still ok.

> Also -- are there any alternative one-way functions that are still
> considered safe, and that could be useful as Python modules (in place
> of, perhaps, md5 and sha)?

There's new NIST hash functions, SHA-256, SHA-384, and SHA-512, whose
output is 256, 384, or 512 bits long, respectively, instead of 160
bits for SHA-1 or 128 bits for md5.  There are implementations
floating around and they should probably be added to the Python library.
It's most logical to just add them to the existing sha module.