What the....?
SHA-1 has been known to be broken since at least 2005!
So NIST are saying that a 25 window to stop using it is okay?
A such, NIST should limit themselves to advising on puppy dog tails and raising unicorns.
The US National Institute of Standards and Technology (NIST) says it's time to retire Secure Hash Algorithm-1 (SHA-1), a 27-year-old weak algorithm used in security applications. "We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible," said NIST computer scientist Chris Celi, in a …
This post has been deleted by its author
There are 'curly horses' who's coat can be quite woolly
You can totally "rely on sha1 for security" as long as you don't rely on it to provide collision resistance when inputs can be manipulated. And are not interested in dictionary attacks (if you are concerned about dictionary attacks none of the other sha hashes are recommended)
Still plenty of good use cases: many in security.
Sha1 fine for a checksum shorter that 256 bits.
Signing a cert is not one of them (can't control inputs) but there are plenty of signing uses cases that would be valid except for the fact that security bods will probably fail your audit. In which case you can do a sha256 hash and crop it to sha1 length.
Some will say that the odds of a SHA-1 collision for file deduplication are an impossible 1 in 2^160. On the flip side, math says that if you are hashing files with 100 million bits, there could be up to 2^99999840 collisions. I once saw a colliding cryptographic-strength UUID glitch a financial system. My trust is that large computer systems can brute-force their way through impossible odds.
Ah, I remember the good old days when computers were slow and a "1 in a million" bug was something you had a day or two to fix.
This post has been deleted by its author
It's a mistake to think that sha256 "can't happen" or "nobody can make a collision".
Assume it can and make sure nothing too bad happens.
Assume it will and that nothing too bad happens on that day and you can rapidly change.
Relying on any one layer of security is a problem, having one "broken" but quite fast and easy layer in the stack it not a problem.
Some will say that the odds of a SHA-1 collision for file deduplication are an impossible 1 in 2^160.
For an accidental collision, for any 160-bit hash algorithm.
The reason for discontinuing the use of SHA-1 is that the algorithm itself is broken. It is possible to engineer two messages that have the same SHA-1 hash, and to do so much more quickly than searching through all possible messages until two with the same hash are found by coincidence.
That is why the algorithm is deprecated.
Not in the 3Par family (and Primera, Alletra 9000, and whatever new name they'll give it).
As far as I'm aware, the dedupe engine uses SHA256 hashes, and if it matches, even that's not enough, it does a bit-by-bit comparison.
That's right, even SHA256 isn't considered acceptable for data integrity, and is just used to know whether Inform OS should bother investigating deduping that block.
Recently it was found that passwords created with many ZIP programs can create the same hash for two different passwords (differing lengths). ZIP uses PBKDF2 hash which uses SHA-1 in it's pseudorandom number generator, but passwords encrypting with AES-256 that were longer were hashing to be opened with two different passwords that hashed to the same values. Article name "An encrypted ZIP file can have two correct passwords.". I'm not sure I am allowed post the website name.
The elephant in the room is git, of course. While it has experimental support for using other hash algorithms at this point, I'm not aware of anyone using anything besides sha1.
Meanwhile, the s3 upload API still only supports md5 for integrity checks, and many people who I work with (in "technically not a developer but their job description sure has a lot of overlap with one" roles) still use md5 out of basically muscle memory.
S3 upload? OK, but that's for integrity, not for warding off malicious changes, or isn't it? I'm not using it, so I don't know. Maybe others can enlighten me?
For git it is only used to identify the commit (and mostly only the last eight or so digits), as far as I understand, so I don't see the problem. Unless I'm mistaken, which is not unlikely. Do you know if there's a transitioning process?
git 2.13.0 already defends against the "known" SHAttered attack (for commits made in 2.13.0 and newer)
There is a transition plan in place for individual repositories for a few years, however the git protocol itself does not yet have SHA-256 support, so it cannot be done for repos accessed via the git protocol.
Aside from that, the nature of a distributed system means that transitioning takes quite a long time. The two must work in parallel for quite some time.
So I can use SHA 256 on local repos - and likely on remote ones accessed via, say, ssh. Good to know. I'll need ot check which version we are running and then plan the steps (with our admin), and then make the other users do the changes as well (though some of them are really against any sort of change, despite being younger than me. The only person (doing actual work) who is older than me is our admin - and he drives quite a number of innovations, cool dude. Not appreciated by all, though. Especially the young-by-birthdate-but-oh-so-set-in-behaing-like-COFs. (COF: crusty old fart).
Defence against malicious attack and detection of accidental corruption are different use cases, with different needs.
Credit cards have a check digit, S-Record format uses a simple checksum etc.
MD5 or SHA-1 may be reasonable replacements for a checksum, but not for detection of an actual attack.
Trouble arises when people start treating a checksum as securing them against malice, of course.
There are various ways to break a cryptographic hash function. The first is to generate two different messages with the same hash value (a collision attack). This is the easiest break for the attacker, and SHA-1 has been broken like this for some time, and has not been allowed by NIST for uses where this matters for some time either.
The next break is: given a specific message (defender controlled), find another (different) message with the same hash value (a pre-image attack). Not only has SHA-1 not been publicly broken like this, neither has MD5. If you have an expert cryptographer on hand†, they can advise you whether your application is vulnerable to a collision attack, or whether it needs a pre-image attack to break it. If it needs a pre-image attack, there is no need to panic (but move away from SHA-1 at your earliest convenience).
† Don't look at me, I just use a few handy rules of thumb when doing crypto - one of which is "don't use SHA-1".
Industry, business, Government and people move at tortoise speed when abandoning a protocol, standard or simply upgrading. Microsoft and vendors have been prolonging the permanent death of SMBv1, even now it still ships with Windows 11 and in use even though deprecated in 2013. (original to DOS/OS/2 for networking 1990, developed by IBM 1883). There are still WannaCry infections happening due to this obsolete protocol and the lack of patching or upgrading to avoid it. Allowing another 8 years for the use of SHA-1 is ridiculous, SHA-2 has been out since 2004, SHA-3 has been out since 2015. 18 years (release of SHA-2) is plenty of time to move away from SHA-1. It's close companion over the years NetBIOS needs to be sent to pasture.
The U.S Governments Cybersecurity & Infrastructure Security Agency (CISA) allows 5 years for agencies and corporations to patch. This same agency is charged with securing infrastructure, yet years after Stuxnet much of industry and infrastructure are increasingly automated with insecure PLCs, networks and systems. Even while hacks on infrastructure and industry rage on. Though this push to secure infrastructure originates with Ronald Reagan's Presidency 1981-1989 after seeing the movie "War Games", Reagan had little success and 40 years later the battle rages on. People, businesses and industry still cling to Windows XP and 7, Windows 10 will linger on long past 2025 as fear of change keeps people clutching to the past.