6

I read that SHA-1 is being retired from the FIPS 180-2 standard.

Apparently there are weaknesses in SHA-1 that led to this decision. Can anyone elaborate on the basis for that decision? Are there implications for the use of SHA-1 in commercial applications?

My real questions are:

  • What is the state of SHA-2 support in various class libraries and platforms?
  • Should I attempt to move to SHA-2?

Interested in mainstream platforms: .NET, Java, C/C++, Python, Javascript, etc.

rook
  • 66,304
  • 38
  • 162
  • 239
Cheeso
  • 189,189
  • 101
  • 473
  • 713

3 Answers3

5

Sha1, Sha0, md4 and md5 have all been found to be insecure over the past few years. The problem is that if an attacker can generate 2 different messages that produce the same resulting hash, this is called a collision. This causes a lot of problems for PKI's, password management, file integrity checks and more. Currently sha1 only provides 2^52 bits of security which is within reach of attackers. Where as SHA-256 (smallest member of the sha2 family) is provides 2^256 bits.

All platforms should have a SHA-256 implementation, although not all of them are native. In PHP you have to use the mhash extension. Its rather baffling that some platforms don't provide secure hash functions, I honestly believe its because they don't care about secuirty. In the case of PHP I know for a fact that they don't care about secuirty.

Currently there is nothing wrong with SHA-2 and it has a very large margin of safety. You can use SHA-512 if you are really paranoid. Sha-3 will be out in 2012, you should patch whatever you can with sha-2 like your PASSWORDS, and then move to SHA-3 when you can but SHA-512 will be good for a VERY long time.

rook
  • 66,304
  • 38
  • 162
  • 239
  • 4
    @edgar as long as php lacks basic secuirty features, like secure hash function, then this is still very relevant. I can't change facts based on what you think. – rook Mar 08 '10 at 23:57
4

Windows Vista and later supports SHA-2 in the Microsoft Enhanced RSA and AES Cryptographic Provider for CryptoAPI, and the .NET Framework has supported SHA-2 since .NET 1.1.

Michael Howard-MSFT
  • 3,232
  • 2
  • 16
  • 11
1

Most platforms now support the SHA-2 family. However, SHA-1 is still used in many applications, like SSL, and will be in use for a while.

A competition for "SHA-3" is well underway. It might be reasonable to jump from SHA-1 to the new SHA-3 standard when it arrives.

erickson
  • 265,237
  • 58
  • 395
  • 493
  • sha3 is a few years away, i'd make sure your protected by moving to sha2 asap. Its only 1 function call change, it shouldn't be a big deal for most apps (an entire PKI is a different story and that will take time to patch) – rook Mar 08 '10 at 23:59
  • Often, switching is not an option. For example, maybe a SHA-256 TLS cipher suite isn't supported by a partner. And it's not a problem, because even if there is a vulnerability, it can't be exploited fast enough to forge MACs in a network protocol. – erickson Mar 09 '10 at 01:58
  • Hash collisions don't affect message authentication codes, they also don't affect Media Access Control addresses. Sha-3 will be out in 2012, you should patch whatever you can with sha-2 like your **PASSWORDS**. – rook Mar 09 '10 at 03:41