SHA-1 broken, sort of

Feb 16, 2005

Just as everybody else and his dog, I too will mention that it seems SHA-1 has been broken, more or less. Bruce Schneier is probaby the best source on the subject.

A brute force attack on SHA-1 would take 280 operations, the not yet really published paper reduce this to 269, still quite a lot, as illustrated in jlouis' literate Haskell mail. But it is a major thing, we're now left with RMD-160 for really sensitive applications, and it is slower than MD5 and SHA-1:

Running md5 -t http://www.openbsd.org/cgi-bin/man.cgi?query=md5
MD5 time trial.  Processing 10000 10000-byte blocks...
Digest = 52e5f9c9e6f656f3e1800dfa5579d089
Time   = 1.454656 seconds
Speed  = 68744775.397070 bytes/second
Running sha1 -t http://www.openbsd.org/cgi-bin/man.cgi?query=sha1
SHA1 time trial.  Processing 10000 10000-byte blocks...
Digest = 74a57b897cc581defa5b3a359fa762a1b83a60e8
Time   = 2.524668 seconds
Speed  = 39609168.413431 bytes/second
Running rmd160 -t http://www.openbsd.org/cgi-bin/man.cgi?query=rmd160
RMD160 time trial.  Processing 10000 10000-byte blocks...
Digest = 844da858884a72f265e35fd52b5ac88d27154417
Time   = 4.010691 seconds
Speed  = 24933359.363761 bytes/second

It may be OpenBSDs implementation that suck, but I doubt it.

I can't remember reading about a practical application defaulting to RMD-160, but I guess it may start to happen. The silver lining is that it doesn't affect HMAC as used in IPsec, so I guess it ain't all bad.


Last edited: May 1, 2016


Categories: