SHA-1 – What does ‘broken’ really mean?

Over on Bruce Schneier’s blog there’s a post saying that SHA-1 is now broken. SHA-1 is a hashing algorithm that takes a string and converts it to a “unique” unintelligible hash of characters. I put unique in quotes because given that the hash length is shorter than the string, there’s obviously more than one string that will create the same hash. Since this algorithm is use for digital signatures, if someone finds a way to change the message and leave the hash the same, well that’s clearly a problem.

This Chinese team seems to have found a way to do that in less than the full number of operations one would expect for a “brute force” attack. More specifically, they’ve found “collisions”, which means they’ve found a string that will produce the same hash. They did this in 2 to the 69th operations, which is a really huge number, but significantly less huge than the expected 2 to the 80th operations. There’s no mention of what computing power was used, but it’s way, way beyond what anyone but research teams and governments can lay their hands on easily.

While I’m sure this is shaking the crypto world, I think it’s a little early to worry about your coworkers forging your signature in a nasty email to the boss.

One thought on “SHA-1 – What does ‘broken’ really mean?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s