Opened 16 years ago
Closed 16 years ago
#11167 closed (duplicate)
migrate sha-1 to sha-2
Reported by: | ubuntu_demon | Owned by: | nobody |
---|---|---|---|
Component: | Uncategorized | Version: | 1.0 |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I believe it's time to migrate from sha-1 to sha-2.
Motivation :
from http://csrc.nist.gov/groups/ST/hash/policy.html :
"
NIST's Policy on Hash Functions
March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols."
from http://en.wikipedia.org/wiki/Sha-1#SHA-1 :
"
In February 2005, an attack by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu was announced.[15] The attacks can find collisions in the full version of SHA-1, requiring fewer than 269 operations. (A brute-force search would require 280 operations.)
........
Cameron McDonald, Philip Hawkes and Josef Pieprzyk presented a hash collision attack with complexity 252 at the Rump session of Eurocrypt 2009"
From http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html :
"But there's an old saying inside the NSA: "Attacks always get better; they never get worse." Just as this week's attack builds on other papers describing attacks against simplified versions of SHA-1, SHA-0, MD4, and MD5, other researchers will build on this result. The attack against SHA-1 will continue to improve, as others read about it and develop faster tricks, optimizations, etc. And Moore's Law will continue to march forward, making even the existing attack faster and more affordable."
I believe it's just a matter of time (years?) for an attack to be announced which finds collisions in SHA-1 in 239 operations (the current state of SHA-0).
This is a duplicate of #5600.