About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.

SHA-1 Broken

I just read on Bruce Schneier's blog that SHA-1 has been broken. Bruce states:

SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.

He continues:

This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, major cryptanalytic result. It pretty much puts a bullet into SHA-1 as a hash function for digital signatures (although it doesn't affect applications such as HMAC where collisions aren't important).

This is a big deal.

About this post

SHA-1 Broken was posted on Tue, 15 Feb 2005. If you liked it, follow me on Twitter or share:


1.Chris Shiflett said:

More information is available from Ed Felton's prediction last year:


Wed, 16 Feb 2005 at 04:26:45 GMT Link

2.Robert said:

Is it really a big deal, though, Chris? Even if the predictability has been reduced to 2^69 do hackers have the capability of using this for exploit? I'm amazed at how quick everyone has been to sound the alarm in the absence of concrete information, let alone *practical* information about what this means for developers using SHA-1.

Thu, 17 Feb 2005 at 03:55:12 GMT Link

3.Chris Shiflett said:

I think it is a big deal, yes. It's true that no concrete evidence (e.g., collision) has been provided, but this is an important breakthrough that significantly weakens SHA-1. In addition, this will most likely lead to further breakthroughs.

If this research is what Bruce thinks it is (and I trust him not to cry wolf), SHA-1 is no longer safe to use for many of its most common applications. Being able to defeat the algorithm in 2048 times fewer tries than an enumerated attack is a big deal.

However, I understand your skepticism. I don't plan to worry about a SHA-1 signature for a file that I download anytime this year (e.g., I won't be wondering whether the file is fake and represents a collision), but for digital signatures that need to be reliable for at least twenty years, SHA-1 is no longer an appropriate choice.

Thu, 17 Feb 2005 at 04:27:20 GMT Link

4.Robert said:

I didn't realize people were using SHA-1 for long-standing signatures. I use GnuPG, which does use SHA-1 for integrity, but DSA/RSA or El Gamal for signing. Plus, I rotate the public key every year.

Sounds to me that to the average PHP coder (who now uses SHA-1 instead of MD5 to hash passwords for storage and is currently scratching her head as to why this is "wrong") this really isn't too big a deal. That script kiddie that compromised her bulletin board isn't going to be able to reverse the hashes with his four-year-old Gateway PC.

So, while I agree this is a *huge* deal for the cryptography community, it seems like a relatively smaller deal (compared, for example, to vulns. found in packages that have concrete, practical exploits) for the PHP community.

Thu, 17 Feb 2005 at 16:14:19 GMT Link

5.Chris Shiflett said:

Yeah, that's true. As I understand it, the collision was found by using two streams of data, so it's not a case of taking one known stream and finding a collision (which is the big concern).

Thu, 17 Feb 2005 at 16:22:13 GMT Link

6.Ilia Alshanetsky said:

Even with the reduced strength of SHA-1 you would need an enormous amount of hardware and time just to "crack" one key. By the time you do, the data is likely to have changed many times over and you'd need to start from very beginning.

Fri, 18 Feb 2005 at 20:40:16 GMT Link

7.Chris Shiflett said:

Here is more elaboration from Schneier:


Mon, 28 Feb 2005 at 05:19:39 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.