Different River

”You can never step in the same river twice.” –Heraclitus

February 17, 2005

SHA-1 Broken

Filed under: — Different River @ 5:47 pm

Bruce Schneier reports that SHA-1, an algorithm used for computing (and authenticating) digital signatures, has been cracked. This is (potentially, if it pans out) a major setback for digital signatures. Click for details.

UPDATE (2/24/05 5:45pm):

Slashdot reported that:

The findings are that SHA-1 is not collision free and can be broken in 2^69 attempts instead of 2^80. This is about 2000 times faster. With todays computing power and Moores Law, a SHA-1 hash does not last too long. Using a modified DES Cracker, for the small sum of up to $38M, SHA-1 can be broken in 56 hours, with current computing power. In 18 months, the cost should go down by half. Jon Callas, PGP’s CTO, put it best: ‘It’s time to walk, but not run, to the fire exits. You don’t see smoke, but the fire alarms have gone off.’ As Schneier suggests, ‘It’s time for us all to migrate away from SHA-1.’ Alternatives include SHA-256 and SHA-512.”

So, I’m not particularly worried, but quite properly PGP is moving to a more secure version of the SHA algorithm.

This is a good argument for keeping your software upgraded.

Leave a Reply

Powered by WordPress