-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Malte Gell schrieb: | On Sunday 20 February 2005 11:37, Kai Schaetzl wrote: | |> Polarizer wrote on Wed, 16 Feb 2005 13:31:49 +0100: |> |>> Broken is broken |> |> It's not broken. | | | It IS broken, because the effort of finding a collision now is | below the effort of using brute force, 2^64 vs 2^80. The same | applies to a cipher, if the effort to find a key is below brute | force it is broken, it's that simple. How feasible a real world | attack is, is something different, but for a cryptographer SHA-1 is | broken. | | Malte O.K. a 2^64 key ist more insecure than a 2^80 long key, but try to break it. The next step is to find the collision. If you got any mathematical knowledge or some courses in encryption you would know that this is not that easy. The issue is a mathematical instability in the sha1 logithm. Normally I use md5. SHA1 is normally used for fileintegrety (afaik with ssh), so may mr. evil could hack a signed package and use this technique to break the integrity of a signed file. O.K. this is security related, but it still takes a strong efford to break keys. Next thing is sha1 is a hashing algorith and no encryption algorithm. What does this mean? A calculation aof the content of a file is made and gets extracted to a file with a content of a bytes compareable to adding digits of a number. A second application of hashing is passwordencryption. You don't get the password, if you hack a shadow-file, you get the hash-value of a password. This is not the same than the password for itself. This doesn't mean you are not safe anymore. But it is not more that hard to get the sha1-value (2^64 = 1'844'674'074'000'000'000). A next comparison would be key-lenght vs. encryption algorith (e.g.: twofish or blowfish is not that secure than md5). There you see some algorithms are more fast or slower and the faster are more insecure than the slower ones. I think mostly high secure applications should be concerned about that. Reguards Philippe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQhkE1kNg1DRVIGjBAQKeRgb+MlaiXIiK2S+lcHI1TIU0hxleUJuiAEo5 NA/ZSyOUJ9iBzLwbhvLMDvpkIC1u3iOVo4xNfYMgwHWh5RgXpEtIXajtFhD3wDvs CcBtVmUhWA6xYZYsb/n+Q6qsrYWE8m0QIeviB6yhhqcNeQDBR8J99gwZuU1sgRVI wF76CdwaaKtXKjlpuS3HfyV0rVOOfTod4lRCdvXs/MFOpTyPo3hZKtpG30FJuTTO OfxlSWtik0tL8afBxbcAb1bcWBmJtUj14e3MReZpTFj+P05lk+CJ6yQKQSoYLj+q ZP/JMC6mFA0= =6RAG -----END PGP SIGNATURE-----