Popular Cryptographic Hash Function Possibly Broken
from the uh-oh dept
Last summer, there were rumors swirling that some researchers had figured out how to break SHA-1, a widely-used cryptographic hash function. While it wasn’t quite what was advertised, it was clear that some researchers were getting closer, and now Bruce Schneier is reporting that SHA-1 has been broken. If true, then it could require quite a bit of effort to change old systems that rely on it, and could present quite a bit of pain for certain companies.
Comments on “Popular Cryptographic Hash Function Possibly Broken”
Chinese cryptographers
The authors of the latest paper are for the most part the same team from Shandong University who wrote the papers on hash collisions from this past August.
Previously only the expected collision issue in SHA-0 was confirmed (along with MD4, MD5, and the original RIPEMD), this new paper appears to actually demonstrate fatal flaws in SHA-1.
Re: Chinese cryptographers
So MD5 is broken as well? I think those are the two choices offered by Microsoft’s code signing tools last time I checked.
Re: Re: Chinese cryptographers
MD5 isn’t so much broken as flawed for some purposes. SHA-1 now shows flaws of its own.
But let’s be clear: both have utility even in their flawed form. MD5 is computationally quick but not tremendously precise; SHA-1 is more precise, but more computationally taxing.
Both are used heavily by backup software makers: see backuppc.sourceforge.net for interesting discussion of the use of MD5 (and work-arounds for its limitations).