Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms
RFC 6194
Document | Type |
RFC - Informational
(March 2011; Errata)
Was draft-turner-sha0-sha1-seccon (individual in gen area)
|
|
---|---|---|---|
Authors | Tim Polk , Lily Chen , Sean Turner , Paul Hoffman | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 6194 (Informational) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Peter Saint-Andre | ||
Send notices to | (None) |
Internet Engineering Task Force (IETF) T. Polk Request for Comments: 6194 L. Chen Category: Informational NIST ISSN: 2070-1721 S. Turner IECA P. Hoffman VPN Consortium March 2011 Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms Abstract This document includes security considerations for the SHA-0 and SHA-1 message digest algorithm. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6194. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Polk, et al. Informational [Page 1] RFC 6194 SHA-0 and SHA-1 Security Consideration March 2011 1. Introduction The Secure Hash Algorithms are specified in [SHS]. A previous version of [SHS] also specified SHA-0. SHA-0, first published in 1993, and SHA-1, first published in 1996, are message digest algorithms, sometimes referred to as hash functions or hash algorithms, that take as input a message of arbitrary length and produce as output a 160-bit "fingerprint" or "message digest" of the input. The published attacks against both algorithms show that it is not prudent to use either algorithm when collision resistance is required. [HASH-Attack] summarizes the use of hashes in Internet protocols and discusses how attacks against a message digest algorithm's one-way and collision-free properties affect and do not affect Internet protocols. Familiarity with [HASH-Attack] is assumed. Some may find the guidance for key lengths and algorithm strengths in [SP800-57] and [SP800-131] useful. 2. SHA-0 Security Considerations What follows are summaries of recent attacks against SHA-0's collision, pre-image, and second pre-image resistance. Additionally, attacks against SHA-0 when used as a keyed-hash (e.g., HMAC-SHA-0) are discussed. The U.S. National Institute of Standards and Technology (NIST) withdrew SHA-0 in 1996. That is, NIST no longer considers it appropriate to use SHA-0 for any transactions associated with the use of cryptography by U.S. federal government agencies for the protection of sensitive, but unclassified information. SHA-0 is discussed here only for the sake of completeness. Any use of SHA-0 is strongly discouraged. Analysis of SHA-0 continues today because many see it as a weaker version of SHA-1. 2.1. Collision Resistance The first attack on SHA-0 was published in 1998 [CHJO1998] and showed that collisions can be found in 2^61 operations. In 2006, [NSSYK2006] showed an improved attack that can find collisions in 2^36 operations. In any case, the known research results indicate that SHA-0 is not as collision resistant as expected. The collision security strength is significantly less than an ideal hash function (i.e., 2^36 compared to 2^80). Polk, et al. Informational [Page 2] RFC 6194 SHA-0 and SHA-1 Security Consideration March 2011 2.2. Pre-Image and Second Pre-Image Resistance The pre-image and second pre-image attacks published on reduced versions of SHA-0 (i.e., less than 80 rounds) indicate that the security margin of SHA-0 is resistant to these attacks. [deCARE2008] showed a pre-image attack on 49 out of 80 rounds with complexity ofShow full document text