OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SHA-1 collissions, etc

From the RSA blog at:



“RSA Laboratories' Dr. Michael Szydlo has posted a technical note on the status of the researchers' latest attack and the practical ramifications for applications in use today.”

The technical note states “It will not be surprising if further improvements to SHA-1 collision attacks appear in the coming months.


Status of the Attack: Although it is clear that the approach is viable, the improved message modification calculations have not been confirmed by experts. As with the work of [WYY], this work estimates the difficulty of an attack, rather than producing an actual collision. No actual collision for SHA-1 has been exhibited to date. However 2^63 is within reach of a distributed computing effort. It will not be surprising if further improvements to SHA-1 collision attacks appear in the coming months.

Practical Ramifications: This research has ramifications for applications which require collision resistant hash functions: for example digital signatures (see [R] and [K] for a discussion of the ramifications of earlier collision attacks on SHA-1). Practically, this cryptanalytic result suggests the acceleration of upgrading software which uses hash functions. Three viable approaches for improving the security of applications are:

  1. Replace the hash function with a stronger one. The most commonly suggested approach is to simply employ SHA-256, possibly truncating the output to 160 bits.
  2. Alter the protocol so that it no longer requires that the hash function be collision resistant. A recent proposal suggests adding randomness to hash functions [HK]. To implement this, the application must have a good source of randomness and must alter the protocol.
  3. Implement simple message pre-processing to convert plaintext messages into a form which renders all existing collision attacks inapplicable. This approach can be accomplished with minimal code change, and is described in [SY]. This practical alternative is appealing for applications which want to extend the secure life of SHA-1. Slides describing this approach are available at [SY2]



Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
I-name:  =Rob.Philpott


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]