Chosen-prefix collision for SHA-1 (2019) (opens in new tab)

(sha-mbles.github.io)

22 pointsaburan282y ago8 comments

8 comments

(2019)

How are other algorithms fairing recently, anything else started tumbling over in the last few years?

SHA-2 uses a Merkle-Damgard construction like SHA-1 does, but is not widely believed to be vulnerable to the same attacks. SHA-3 was developed and standardized in part to mitigate future breaks in SHA-2, but those breaks have (so far) not materialized[1].

TL;DR: If all you need is a fast cryptographic digest, SHA-2 is still the gold standard. If you care about length-extension attacks, SHA-3's construction prevents them. If you're hashing passwords, you should use a KDF instead.

[1]: https://www.imperialviolet.org/2017/05/31/skipsha3.html

magicalhippo2y ago

> SHA-2 is still the gold standard

Truncated SHA-2, eg SHA-512/256, has some resistance against length extension attacks[1] while non-truncated has none, so wouldn't that be the gold standard?

edit: Thinking a bit more, I guess there are a lot of interesting cases which are not prone to length extension attacks where the full SHA-512 would be better.

[1]: https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functi...

woodruffw2y ago

I was referring to the full family! SHA-512/256 is indeed a good choice, and should be (nearly) identical in terms of performance characteristics.

hoppla2y ago

Looked at a 6 byte hash today. Modifying the hash or the data attached to it made the API respond with an error saying untrusted input. The data is an encrypted blob and the hash protects it from being tampered with.

My guess is that it’s a truncated md5(secret + data) or hmac. Either way, with a sufficient long a secret, I won’t be able to guess it (offline), and because of the truncation, length extensions also out of the question.

With only 48 bits of entropy, I can’t shake the feeling that there are practical attacks I have not considered.

jwilk2y ago

Is it 2019? They link to a 2020 paper.

The earliest copy in the Wayback Machine is from 2020-01-07. That's also when it was first submitted to HN: https://news.ycombinator.com/item?id=21979333 (354 comments)

aidenn02y ago

This was definitely January 2020 (January 7th, a Tuesday, per the Ars Technica article); I think the 2019 confusion is because that is when they disclosed the attacks to the related projects.

woodruffw2y ago

For those wondering: this work was presented at RWC 2020[1], so it's not a new (but still valuable!) finding.

[1]: https://sha-mbles.github.io/Shambles_RWC.pdf

j / k navigate · click thread line to collapse

8 comments

zamadatix2y ago

(2019)

How are other algorithms fairing recently, anything else started tumbling over in the last few years?

woodruffw2y ago

[1]: https://www.imperialviolet.org/2017/05/31/skipsha3.html

magicalhippo2y ago

> SHA-2 is still the gold standard

Truncated SHA-2, eg SHA-512/256, has some resistance against length extension attacks[1] while non-truncated has none, so wouldn't that be the gold standard?

edit: Thinking a bit more, I guess there are a lot of interesting cases which are not prone to length extension attacks where the full SHA-512 would be better.

[1]: https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functi...

woodruffw2y ago

I was referring to the full family! SHA-512/256 is indeed a good choice, and should be (nearly) identical in terms of performance characteristics.

hoppla2y ago

With only 48 bits of entropy, I can’t shake the feeling that there are practical attacks I have not considered.

jwilk2y ago

Is it 2019? They link to a 2020 paper.

The earliest copy in the Wayback Machine is from 2020-01-07. That's also when it was first submitted to HN: https://news.ycombinator.com/item?id=21979333 (354 comments)

aidenn02y ago

This was definitely January 2020 (January 7th, a Tuesday, per the Ars Technica article); I think the 2019 confusion is because that is when they disclosed the attacks to the related projects.

woodruffw2y ago

For those wondering: this work was presented at RWC 2020[1], so it's not a new (but still valuable!) finding.

[1]: https://sha-mbles.github.io/Shambles_RWC.pdf

j / k navigate · click thread line to collapse