SHA1 Broken

quasi-modo · February 19, 2005, 11:08 AM

Quote from: j0k3r on February 19, 2005, 08:46 AM
Quote from: quasi-modo on February 18, 2005, 05:23 PM
It is great for dbs. You encrypt passwords / credit card numbers. It is not meant to be decrypted really.
What would be the purpose of SHA-1'ing a credit card number, would they not need it for billing purposes?

Some sites use it for identification purposes. Same as a social. For instnace my online banking uses my social. Paypal can use a credit card number.

Arta · February 19, 2005, 03:07 PM

Tthe attack that has been found on SHA-1 wouldn't enable anyone to retrieve plaintext from the hash.

What the attack does is to allow you to find collisions more quickly, which makes a birthday attack possible.

quasi-modo · February 22, 2005, 04:29 PM

Quote from: Arta[vL] on February 19, 2005, 03:07 PM
Tthe attack that has been found on SHA-1 wouldn't enable anyone to retrieve plaintext from the hash.

What the attack does is to allow you to find collisions more quickly, which makes a birthday attack possible.

Well it does not really needs to let you retrieve text... it just needs to let you login as someone else.

Arta · February 23, 2005, 08:36 AM

I don't see how this attack makes that more likely than it was before?

quasi-modo · February 23, 2005, 04:57 PM

Quote from: Arta[vL] on February 23, 2005, 08:36 AM
I don't see how this attack makes that more likely than it was before?

If sha-1 is vulnerable (I do not know how this attack works exactly), and sha-1 is what the passwords are encrypted in, then if sha-1 were broken would it not allow you to login as someone else more easily?

Birthday is no longer really a threat if you salt the password feild with an id feild or something.... it would turn into a conventional brute force at that point.

I do not know much about what this new attack does, only what was in the op. All I know is md5 was broken a long time ago but it is still pretty seucre and still widely used.

Arta · February 23, 2005, 05:18 PM

The attack makes it considerably easier (2⁶⁹ instead of 2⁸⁰) to find plaintexts that cause collisions. That is, given a plaintext P₁, it is now much easier to find a plaintext P₂ such that SHA1(P₁) == SHA1(P₂).

That's why this vulnerability facilitates a birthday attack. A typical example might be to take a document (for example, a contract), D₁, that is signed using SHA1 to ensure that it has not been modified in transit. If Mallory wants to tamper with this document, they could do it by making the change they need, and then making lots of small, imperceptible changes (for example adding spaces), until they had a document D₂, such that H(D₁) == H(D₂). Mallory can then send this document to the victim, and claim that it is the original. The victim will check the hashes, which will be the same, and will not be aware of the changes made.

It's a simplistic example but it illustrates the most serious problem raised by this vulnerability.

It does also make it easier to brute force the plaintext used to generate hashes, but 2⁶⁹ is still a lot of work, so that shouldn't be a problem in the immediate future.

dxoigmn · February 24, 2005, 12:15 PM

Quote from: Arta[vL] on February 23, 2005, 05:18 PM
The attack makes it considerably easier (2⁶⁹ instead of 2⁸⁰) to find plaintexts that cause collisions. That is, given a plaintext P₁, it is now much easier to find a plaintext P₂ such that SHA1(P₁) == SHA1(P₂).

That's why this vulnerability facilitates a birthday attack. A typical example might be to take a document (for example, a contract), D₁, that is signed using SHA1 to ensure that it has not been modified in transit. If Mallory wants to tamper with this document, they could do it by making the change they need, and then making lots of small, imperceptible changes (for example adding spaces), until they had a document D₂, such that H(D₁) == H(D₂). Mallory can then send this document to the victim, and claim that it is the original. The victim will check the hashes, which will be the same, and will not be aware of the changes made.

It's a simplistic example but it illustrates the most serious problem raised by this vulnerability.

It does also make it easier to brute force the plaintext used to generate hashes, but 2⁶⁹ is still a lot of work, so that shouldn't be a problem in the immediate future.

Even the example you gave it highly unlikely. I think the point is that once you find a small hole in a hasing algorithm pretty soon someone is going to find a bigger hole. Generally, the security of a hashing algorithm doesn't increase but decreases over time, however these kind of exploits only make it decrease quicker.

iago · February 24, 2005, 10:09 PM

Just a picky little note, this isn't an "exploit", it's a vulnerability or weakness.

dxoigmn · February 24, 2005, 10:25 PM

Quote from: iago on February 24, 2005, 10:09 PM
Just a picky little note, this isn't an "exploit", it's a vulnerability or weakness.

Yes, good catch