views:

229

answers:

3

I read that SHA-1 is being retired from the FIPS 180-2 standard.

Apparently there are weaknesses in SHA-1 that led to this decision. Can anyone elaborate on the basis for that decision? Are there implications for the use of SHA-1 in commercial applications?

My real questions are:

  • What is the state of SHA-2 support in various class libraries and platforms?
  • Should I attempt to move to SHA-2?

Interested in mainstream platforms: .NET, Java, C/C++, Python, Javascript, etc.

+2  A: 

Sha1, Sha0, md4 and md5 have all been found to be insecure over the past few years. The problem is that if an attacker can generate 2 different messages that produce the same resulting hash, this is called a collision. This causes a lot of problems for PKI's, password management, file integrity checks and more. Currently sha1 only provides 2^52 bits of security which is within reach of attackers. Where as SHA-256 (smallest member of the sha2 family) is provides 2^256 bits.

All platforms should have a SHA-256 implementation, although not all of them are native. In PHP you have to use the mhash extension. Its rather baffling that some platforms don't provide secure hash functions, I honestly believe its because they don't care about secuirty. In the case of PHP I know for a fact that they don't care about secuirty.

Currently there is nothing wrong with SHA-2 and it has a very large margin of safety. You can use SHA-512 if you are really paranoid. Sha-3 will be out in 2012, you should patch whatever you can with sha-2 like your PASSWORDS, and then move to SHA-3 when you can but SHA-512 will be good for a VERY long time.

Rook
-1 for spreading old fud
edgar.holleis
@edgar as long as php lacks basic secuirty features, like secure hash function, then this is still very relevant. I can't change facts based on what you think.
Rook
+2  A: 

Windows Vista and later supports SHA-2 in the Microsoft Enhanced RSA and AES Cryptographic Provider for CryptoAPI, and the .NET Framework has supported SHA-2 since .NET 1.1.

Michael Howard-MSFT
A: 

Most platforms now support the SHA-2 family. However, SHA-1 is still used in many applications, like SSL, and will be in use for a while.

A competition for "SHA-3" is well underway. It might be reasonable to jump from SHA-1 to the new SHA-3 standard when it arrives.

erickson
sha3 is a few years away, i'd make sure your protected by moving to sha2 asap. Its only 1 function call change, it shouldn't be a big deal for most apps (an entire PKI is a different story and that will take time to patch)
Rook
Often, switching is not an option. For example, maybe a SHA-256 TLS cipher suite isn't supported by a partner. And it's not a problem, because even if there is a vulnerability, it can't be exploited fast enough to forge MACs in a network protocol.
erickson
Hash collisions don't affect message authentication codes, they also don't affect Media Access Control addresses. Sha-3 will be out in 2012, you should patch whatever you can with sha-2 like your **PASSWORDS**.
Rook