Reputation: 107
Why is SHA-1 considered insecure?
Microsoft, google and mozilla have decided not to accept it in 2017 because of the flaws found by researchers. And I saw SHA-1 is depreciated nearly everywhere simply because people think that it's not safe anymore. But unlike MD5, currently there is no known collision found on SHA-1. And even the fastest algorithm for the collision of SHA-1 still requires nearly 2^60 evaluations, which is still a very large number.
My question is why SHA-1, a hash algorithm which hasn't been found any collisions and which still requires a large amount of time to find a collision, is depreciated? I understand SHA-2 is more secure, but it is also slower than SHA-1, why most people recommend to trade performance for the so-called "security" where the security of SHA-1 is not even an issue for most situations?
Upvotes: 4
Views: 5884
Answers (1)
Reputation: 96
SHA-1 is weak because of collision attacks:
https://en.wikipedia.org/wiki/SHA-1#Attacks
In an interview, Yin states that, "Roughly, we exploit the following two weaknesses: One is that the file preprocessing step is not complicated enough; another is that certain math operations in the first 20 rounds have unexpected security problems."
https://www.schneier.com/blog/archives/2005/02/sha1_broken.html
collisions in the the full SHA-1 in 2^69 hash operations, much less than the brute-force attack of 2^80 operations based on the hash length.
collisions in SHA-0 in 2^39 operations.
collisions in 58-round SHA-1 in 2^33 operations.
there is a collision attack on SHA-1's compression function that requires only 2^57 SHA-1 evaluations
Upvotes: 6
Related Questions
- Is SHA-1 secure for password storage?
- Why is Git not considered a "block chain"?
- Why does Java's hashCode() in String use 31 as a multiplier?
- A minimal hash function for C?
- Which cryptographic hash function should I choose?
- When is it safe to use a broken hash function?
- Why aren't cryptographic hash functions used in data structures?