[16933] in cryptography@c2.net mail archive
Re: SHA-1 cracked
daemon@ATHENA.MIT.EDU (John Kelsey)
Tue Feb 22 11:32:25 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 17 Feb 2005 09:57:16 -0500 (GMT-05:00)
From: John Kelsey <kelsey.j@ix.netcom.com>
Reply-To: John Kelsey <kelsey.j@ix.netcom.com>
To: Joseph Ashwood <ashwood@msn.com>, cryptography@metzdowd.com
>From: Joseph Ashwood <ashwood@msn.com>
>Sent: Feb 17, 2005 12:15 AM
>To: cryptography@metzdowd.com
>Subject: Re: SHA-1 cracked
>This attack means that we need to begin the process for a quick and painless
>retirement of SHA-1 in favor of SHA-256/384/512 in the immediate future and
>begin further preparations to move to Whirlpool and other hashes in the near
>future. I say this because with MD5 completely broken, SHA-0 effectively
>completely broken, and SHA-1 showing big cracks, the entire SHA series is in
>doubt, and needs to be heavily reconsidered, otherwise we're looking at a
>continuing failure of hash functions apparently in a yearly fashion until we
>run out of the SHA series.
Yep. The thing that's interesting here is that the more-or-less obvious fallbacks for SHA1 are RIPE-MD160 and SHA256/512. But given the pile of bodies in front of Wang's door already (MD4,MD5, Haval, RIPE-MD, SHA0, SHA1), it's hard to have any confidence at all that RIPE-MD160 will survive long. All the remaining SHA functions are the same, modulo some constants and the wordsize used--SHA512 is just SHA256 using 64-bit words, different constants, and a few more rounds. So there's really only one SHA function left. It's different enough from SHA1 that it's plausible Wang's attacks won't work, but I can't see any really strong reason to trust in that.
Whirlpool looks like the best bet for a fallback right now, but it really hasn't seen anything like the amount of analysis I'd like. This is what it looks like when someone develops a new class of attack that breaks a whole bunch of your available cryptographic primitives in a big hurry.
> Joe
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
