Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [sha-1]

SHA-1 is a hash function that is two generations old, no longer considered secure for all uses and should only be used for backward compatibility.

SHA-1 is a cryptographic function that is no longer considered collision-resistant and should only be used for backward compatibility.

"Federal agencies should stop using SHA-1 ... as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010."

288 questions
104
votes
2 answers

What is the new attack on SHA-1 "SHAttered" and how does it work?

There's a new recent Attack on SHA-1 named "SHAttered" by Google and some researchers. I understand that it uses some fancy new techniques, but not the details. My question is: How? How does the attack work (on a high level)? How does it compare to…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
80
votes
1 answer

How easy is it in 2022 to find a SHA1 collision?

Most of the answers I can find date to years back where the first collision(s) were found, but hardware mainly GPUs have progressed a lot in the past few years (with for example the new line of 3090s coming). How easy is it to do so right now?
Hormoz
  • 809
  • 1
  • 8
  • 12
69
votes
2 answers

Is truncating a SHA512 hash to the first 160 bits as secure as using SHA1?

I am from a web development background (I don't know an awful lot about cryptography or how the algorithms themselves work), so I am asking this question in simple terms. Consider a hash of the word 'test' using…
BadHorsie
  • 823
  • 1
  • 9
  • 11
52
votes
2 answers

Why is SHA-1 considered broken?

Is there a known pair of distinct bit strings (A,B) such that SHA-1(A) == SHA-1(B)? If the answer is no, then how can SHA-1 be considered broken?
Andrew Tomazos
  • 657
  • 1
  • 5
  • 8
42
votes
2 answers

Are there any known collisions for the SHA (1 & 2) family of hash functions?

Are there any known collisions for the hash functions SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512? By that, I mean are there known values of $a$ and $b$ where $F(a) = F(b)$ and $a ≠ b$?
Pacerier
  • 1,265
  • 2
  • 10
  • 16
39
votes
2 answers

Why is HMAC-SHA1 still considered secure?

This Q & A https://security.stackexchange.com/questions/33123/hotp-with-as-hmac-hashing-algoritme-a-hash-from-the-sha-2-family says that the security of HMAC-SHA1 does not depend on resistance to collisions? Are they are saying specifically with…
user93353
  • 2,348
  • 3
  • 28
  • 49
37
votes
3 answers

Does "Shattered" actually show SHA-1-signed certificates are "unsafe"?

Note: I am not advocating anyone continues using SHA1-signed certificates: they are dead as far as security is concerned and should no longer be used. I'm just trying to clarify my understanding of the theoretical implications of Shattered as they…
TripeHound
  • 473
  • 8
  • 15
36
votes
2 answers

HMAC-SHA1 vs HMAC-SHA256

I have three questions: Would you use HMAC-SHA1 or HMAC-SHA256 for message authentication? How much HMAC-SHA256 is slower than HMAC-SHA1? Are the security improvements of SHA256 (over SHA1) enough to justify its usage?
Mario
  • 361
  • 1
  • 3
  • 3
35
votes
2 answers

How secure is SHA1? What are the chances of a real exploit?

I read that, in February 2017, a SHA1 collision was calculated for the first time. This, and earlier theoretical proof, means that SHA1 is officially cryptographicaly insecure. But, when using SHA1 in a protocol (SAML assertions in my case), both…
Rob van Laarhoven
  • 453
  • 1
  • 4
  • 8
32
votes
1 answer

How is SHA1 different from MD5?

On the surface, SHA1 and MD5 look pretty similar. Their diagrams include chunks of bits, bit rotation, xor and special functions. Their implementations are roughly the same length (at least the ones I've seen). Yet it's widely known that MD5 is…
qwr
  • 455
  • 1
  • 4
  • 16
29
votes
1 answer

What is hardened SHA-1, how does it work and how much protection does it offer?

From the shattered website: You can use the online tool above to submit files and have them checked for a cryptanalytic collision attack on SHA-1. The code behind this was developed by Marc Stevens (CWI) and Dan Shumow (Microsoft) and is publicly…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
29
votes
1 answer

How are the functions used in cryptographic hash functions chosen?

I'm learning about cryptographic hash functions and I have some questions about the functions used in the compression function. MD5 uses the following functions: $f_{1}(B,C,D)=(B\wedge C)\lor(D\wedge \lnot B)$ $f_{2}(B,C,D)=(B\wedge…
Cartman123
  • 609
  • 4
  • 10
24
votes
2 answers

Why initialize SHA1 with specific buffer?

SHA-1 is initialize with a specific buffer: h0 = 0x67452301 h1 = 0xEFCDAB89 h2 = 0x98BADCFE h3 = 0x10325476 h4 = 0xC3D2E1F0? Why?
juaninf
  • 2,781
  • 3
  • 21
  • 29
21
votes
4 answers

Does the SHA hash function always generate a fixed length hash?

I'm using the SHA1/2 family of algorithms for a particular project. I was wondering if all the SHA algorithms return a fixed length hash regardless of the length of the data.
Robin Rodricks
  • 511
  • 2
  • 4
  • 10
18
votes
1 answer

In 2020, SHA-1 practically broken in chosen-prefix collision (CP-collision). Can double SHA-1 hashing prevent CP-collision?

In a recent study SHA-1 is a Shambles - First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust by Gaëtan Leurent and Thomas Peyrin. 2020, they showed the first practical chosen-prefix collision attack that required two months…
kelalaka
  • 49,797
  • 12
  • 123
  • 211
1
2 3
19 20