[p2p-hackers] SHA1 broken?

Serguei Osokine Serguei.Osokine at efi.com
Wed Feb 16 16:37:31 UTC 2005 

On Wednesday, February 16, 2005 Gordon Mohr wrote:
> MD5 should not be used for content identification, given the 
> ability to create content pairs with the same MD5, with one 
> version being (and appearing and acquiring a reputation for 
> being) innocuous, and the other version malicious.

	Right. So let's go and try to find something with the same
MD5 as this letter of mine, shall we? :-)

	For any practical purpose that I can imagine in a content
identification field, MD5 is just fine. And SHA-1 is even more
fine. There are plenty more simple ways to attack the CDN nets
than MD5 collisions. Way more simple. And abandoning MD5 for
SHA1, then SHA1 for Tiger, and then abandoning Tiger for some
newer hash when some researcher finds that it is really twenty
bits weaker than you thought - it is all just a huge waste of
development effort, as far as I'm concerned.

	It sure is nice to know that the human mind can find
collisions in a 160-bit hash, but I have a feeling that the
practical meaning of this result in the content identification
area is precisely zero. Probably the biggest effect will be
that the more advanced of the marketing types will start 
saying with a knowing look: "ah, but SHA1 was compromised -
shouldn't we use something more secure?" 

	Which is a plenty effect by itself, I'll grant you that.
It will be way easier to switch to a newer hash than to explain
to these guys that this is all a load of bull. But this is a 
Chicken Little effect, which is of a psychological rather than 
of a technical nature, and I'd expect to find the concerns about
SHA1 weakness on some marketing forum rather than here.

(All of the above is only about the content identification in
the P2P nets, of course. Security/authentication is a different
story. But saying that MD5 should not be used for the content
identification does seem like a bit of an overstatement to me. 
I mean, imagine yourself a Gnutella network - so its biggest,
major, noticeable, or even existing concern is a collision
in the content hashes? Are you kidding? :-)

	Best wishes -
	S.Osokine.
	16 Feb 2005.

-----Original Message-----
From: p2p-hackers-bounces at zgp.org [mailto:p2p-hackers-bounces at zgp.org]On
Behalf Of Gordon Mohr (@ Bitzi)
Sent: Wednesday, February 16, 2005 1:10 AM
To: Peer-to-peer development.
Subject: Re: [p2p-hackers] SHA1 broken?


Serguei Osokine wrote:
>>#   * collisions in the the full SHA-1 in 2**69 hash operations,
>>#     much less than the brute-force attack of 2**80 operations...
> 
> 
> Okay, so the effective SHA-1 length is 138 bits instead of full
> 160 - so what's the big deal? 

If the results hold up:

SHA1 is not as strong as it was designed to be, and its effective
strength is being sent in the wrong direction, rather than being
confirmed, by new research.

Even while maintaining that SHA1 was unbroken and likely to
remain so just last week, NIST was still recommending that SHA1 be
phased out of government use by 2010:

   http://www.fcw.com/fcw/articles/2005/0207/web-hash-02-07-05.asp

One more paper from a group of precocious researchers anywhere in
the world, or unpublished result exploited in secret, could topple
SHA1 from practical use entirely. Of course, that's remotely possible
with any hash, but the pattern of recent results suggest that a
further break is now more likely with SHA1 (and related hashes)
than others.

So the big deal would be: don't rely on SHA1 in any applications
you intend to have a long effective life.

> It is still way more than, say, MD5
> length. And MD5 is still widely used for stuff like content id'ing
> in various systems, because even 128 bits is quite a lot, never
> mind 138 bits.

Just because it's widely used doesn't mean it's a good idea.

MD5 should not be used for content identification, given the ability
to create content pairs with the same MD5, with one version being
(and appearing and acquiring a reputation for being) innocuous, and
the other version malicious.

- Gordon @ Bitzi
_______________________________________________
p2p-hackers mailing list
p2p-hackers at zgp.org
http://zgp.org/mailman/listinfo/p2p-hackers
_______________________________________________
Here is a web page listing P2P Conferences:
http://www.neurogrid.net/twiki/bin/view/Main/PeerToPeerConferences

More information about the P2p-hackers mailing list