Crypto researchers break SHA-1

It's official

  • alert
  • submit to reddit

Build a business case: developing custom apps

Long rumored and now official, the popular SHA-1 hashing algorithm has been attacked successfully by researchers in China and the US. A collision has been discovered in the full version in 269 hash operations, making it just possible to mount a successful brute-force attack with the most powerful machines available today.

This is by no means a disaster in practical terms, as the amount of computational power and mathematical insight needed to perform a successful attack is still great. But SHA-1 has been demonstrated not to be beyond the reach of current supercomputers, as had previously been believed, or at least hoped. Theoretically, 280 operations should be necessary to find a collision.

By using reduced-round versions of the algorithm, and the team's technique, it was possible to attack SHA-1 in fewer than 233 operations. Using the same technique, the full SHA-0 could be attacked in 239 operations.

SHA-1 is regarded as more secure than MD5, in which collisions were found last year by some of the people who reported the recent discovery. Also last year, collisions were found in SHA-0 by a French team.

The researchers in the latest effort, Xiaoyun Wang and Hongbo Yu from Shandong University and Yiqun Lisa Yin from Princeton University, have released a paper briefly outlining their findings. The technical details will be released in the near future. Wang and Yu were part of the team that discovered the weakness in MD5.

Hashing is a one-way cryptographic function. It differs from encryption in that the original input creating the hash should not be recoverable under any circumstances, whereas in encryption, the original input is meant to be recovered, albeit under tightly controlled circumstances. Hashing is used in many applications, from passwords and other authentication schemes, to digital signatures and certificates, to creating checksums used to validate files.

Ideally, no two inputs would create the same hash. However, in the real world this inevitably happens, and when it does, it's called a collision. Finding a collision is a matter of brute-force hashing until two different inputs are found to create the same output. This could, with considerable effort, be used to forge certificates and signatures.

Still, in practical terms, things are not as bad as they might seem. Collisions are irrelevant in a number of crypto implementations, and in those where they are relevant, the trick is to keep them ahead of the practical computing resources required to find them. The chief consequence of these discoveries is that there is now a degree of uncertainty about whether a digital signature, say, is authentic, because it is not impossible for a duplicate to be created. But it's also not likely to happen, either, at least with current technology. Indeed, collisions notwithstanding, the algorithm remains the strongest element of most crypto implementations. It would be wise to approach any encryption or hashing scheme as a fine boost in security that can never be trusted one hundred per cent. Which is exactly how every security scheme should be approached.

The US National Institute of Standards and Technology (NIST) has recently begun recommending that government phase out SHA-1 in favor of SHA-256 and SHA-512.

NIST security technology group manager William Burr was recently quoted in Federal Computer Week saying that, "SHA-1 is not broken, and there is not much reason to suspect that it will be soon."

NIST had been recommending that SHA-1 be phased out by 2010. It looks as if that date will have to be tweaked just a bit. ®

Related stories

Number crunching boffins unearth crypto flaws

Is SSL safe?

Crypto attack against SSL outlined

Weak crypto casts shadow over ecommerce

109-bit Elliptic Curve Cryptography knocked over with brute force

US.gov plans DES's retirement

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story


7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?