Different River

”You can never step in the same river twice.” –Heraclitus

February 24, 2005

SHA-1 Broken (Update)

Filed under: — Different River @ 6:09 pm

Updating this post:

Slashdot reported that:

The findings are that SHA-1 is not collision free and can be broken in 2^69 attempts instead of 2^80. This is about 2000 times faster. With todays computing power and Moores Law, a SHA-1 hash does not last too long. Using a modified DES Cracker, for the small sum of up to $38M, SHA-1 can be broken in 56 hours, with current computing power. In 18 months, the cost should go down by half. Jon Callas, PGP’s CTO, put it best: ‘It’s time to walk, but not run, to the fire exits. You don’t see smoke, but the fire alarms have gone off.’ As Schneier suggests, ‘It’s time for us all to migrate away from SHA-1.’ Alternatives include SHA-256 and SHA-512.”

So, I’m not particularly worried, but quite properly PGP is moving to a more secure version of the SHA algorithm.

This is a good argument for keeping your software upgraded.

Leave a Reply

SHA-1 Broken (Update)

Filed under: — Different River @ 5:45 pm

Updating this post:

Slashdot reported that:

The findings are that SHA-1 is not collision free and can be broken in 2^69 attempts instead of 2^80. This is about 2000 times faster. With todays computing power and Moores Law, a SHA-1 hash does not last too long. Using a modified DES Cracker, for the small sum of up to $38M, SHA-1 can be broken in 56 hours, with current computing power. In 18 months, the cost should go down by half. Jon Callas, PGP’s CTO, put it best: ‘It’s time to walk, but not run, to the fire exits. You don’t see smoke, but the fire alarms have gone off.’ As Schneier suggests, ‘It’s time for us all to migrate away from SHA-1.’ Alternatives include SHA-256 and SHA-512.”

So, I’m not particularly worried, but quite properly PGP is moving to a more secure version of the SHA algorithm.

This is a good argument for keeping your software upgraded.

Leave a Reply

Powered by WordPress