SHA1 broken
Paul Rubin
http
Tue Feb 15 22:48:32 EST 2005
FYI.
>From <http://www.schneier.com/blog/archives/2005/02/sha1_broken.html>:
The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu
(mostly from Shandong University in China) have been quietly
circulating a paper announcing their results:
* collisions in the the full SHA-1 in 2**69 hash operations, much
less than the brute-force attack of 2**80 operations based on
the hash length.
* collisions in SHA-0 in 2**39 operations.
* collisions in 58-round SHA-1 in 2**33 operations.
...
This is the same group that broke MD5 a few months ago and so this is
probably real. It doesn't immediately turn everyone's applications
inseecure (2**69 operations is still more than the 2**64 operations
that it takes to break MD5 by brute force) and if it's like the MD5
result, finds only free rather than targeted collisions. So don't panic.
Nonetheless I think Python should add SHA256/SHA384/SHA512 to the
stdlib for 2.4, and new applications should use them instead of SHA1
even though they're slower. These are the new NIST hash algorithms
announced when AES was standardized. Their design is a bit different
from SHA1 and probably more likely to resist this type of attack.
More information about the Python-list
mailing list