Re: Advice needed regarding SHA0 SHA1 MD5
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Re: Advice needed regarding SHA0 SHA1 MD5

From: <ldkohl@mac.com>
Date: Wed Sep 07 2005 - 01:13:35 CEST




Erwin Moller schrieb:



> Dear group,


>


> I need some advice regarding the safety of SHA-0 SHA-1 and MD5, being quite


> ignorant on the subject myself.


> I expect the subject is old news for most of you, but I hope some friendly


> sould can help me a bit understanding the issue.


>


>


> I read the following articles by Bruce Schneier:


>


> http://www.schneier.com/blog/archives/2005/02/sha1_broken.html


> and the follow up:


> http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html


>


> [Quote from the first article]


> ******************************************************


> February 15, 2005


> SHA-1 Broken


>


> SHA-1 has been broken. Not a reduced-round version. Not a simplified


> version. The real thing.


>


> The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly


> from Shandong University in China) have been quietly circulating a paper


> describing their results:


>


>     * collisions in the the full SHA-1 in 2**69 hash operations, much less


> than the brute-force attack of 2**80 operations based on the hash length.


>


>     * collisions in SHA-0 in 2**39 operations.


>


>     * collisions in 58-round SHA-1 in 2**33 operations.


>


> This attack builds on previous attacks on SHA-0 and SHA-1, and is a major,


> major cryptanalytic result. It pretty much puts a bullet into SHA-1 as a


> hash function for digital signatures (although it doesn't affect


> applications such as HMAC where collisions aren't important).


>


> The paper isn't generally available yet. At this point I can't tell if the


> attack is real, but the paper looks good and this is a reputable research


> team.


> ******************************************************


> [end quote]


>


>


> We just had a discussion on the subject in a PHP-ng (PHP is a


> scriptinglanguage).


> We wondered if storing passwords hashed as MD5 was safe.


> I hope somebody can answer the following questions.



The attack on MD5 needs n(512 x 4) bit. -> Data for one Round. 64 Byte.


-> 64 char.


The attack, if I remember correctly, based on the property of MD5 is a


mathematical groupe between Round n to Round n +1.


So you can add and subtract between round n and n +1 with the same


hash.


If you have only one round you can't do any operation.


And password can't be longer then 32 byte on the most Systems.


Ok IBM Iseries you can you 128 byte.



>


> Our most nagging questions are:


> 1) Based on only a MD5 hash, can the abovementioned new algoritms create new


> inputstrings that produce the same hash in a reasonable short time?


> (That is called a collision, right?)


>


> Or can it only be used in certain isolated situations?


> (I mean: Does it only work for a special subset of MD5 hashes?)


>


>


> 2) If yes to 1) -> Should we consider SHA-0/1 and MD5 unsafe?


> What other hash do you advise us to use?


>


> Thanks in advance for your time!


> 


> Regards,


> Erwin Moller



Have a nice lief time.



Denis Kohl


Received on Thu Sep 29 21:53:03 2005