Elonka wrote:
] Decius wrote:
] ] ] SHA-1 has been broken. Not a reduced-round version. Not a
] ] ] simplified version. The real thing.
]
] Well, "Broken" is relative. I'd instead use the term
] "somewhat weaker than expected". From what I'm reading, the
] old chances of collision were 2^80, and now with the "break"
] they've been reduced to only 2^69. Still pretty hefty.

Well, broken is relative, but it is a fundamental attack on a full implementation of the algorithm. In academic terms at least its considered broken because it does not provide the properties its supposed to provide even in the best case.

In practical terms the implications strongly depend on your application and threat model. Cracking DES is a 2^56 order operation and it could be done for about $100,000 in 1998. 2^69 is significantly harder, but significantly less difficult then 2^80, which was already starting to look a little shallow (hence SHA-256 and SHA-512 being bandied about in the last few years). In retrospect, its possible the NIST announcement I posted wasn't actually a pre-warning but rather a commentary on the weakness of 2^80 hashes. 2010 is what they said...

So for certain well funded adversaries they can produce SHA1 hashes fairly rapidly, but where does this matter? Primarily in places where long term data integrity is required. Integrity of real time network protocols is much less likely to be implicated because doing this kind of cracking in real time is usually going to be unreasonable.

This isn't going to result in a bunch of practical attacks right away, but its time to move to another algorithm.

RE: Schneier on Security: SHA-1 Broken