Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms
RFC 6194
| Document | Type |
RFC - Informational
(March 2011; Errata)
Was draft-turner-sha0-sha1-seccon (individual in gen area)
|
|
|---|---|---|---|
| Last updated | 2015-10-14 | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 6194 (Informational) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Peter Saint-Andre | ||
| Send notices to | (None) | ||
Internet Engineering Task Force (IETF) T. Polk
Request for Comments: 6194 L. Chen
Category: Informational NIST
ISSN: 2070-1721 S. Turner
IECA
P. Hoffman
VPN Consortium
March 2011
Security Considerations for
the SHA-0 and SHA-1 Message-Digest Algorithms
Abstract
This document includes security considerations for the SHA-0 and
SHA-1 message digest algorithm.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6194.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Polk, et al. Informational [Page 1]
RFC 6194 SHA-0 and SHA-1 Security Consideration March 2011
1. Introduction
The Secure Hash Algorithms are specified in [SHS]. A previous
version of [SHS] also specified SHA-0. SHA-0, first published in
1993, and SHA-1, first published in 1996, are message digest
algorithms, sometimes referred to as hash functions or hash
algorithms, that take as input a message of arbitrary length and
produce as output a 160-bit "fingerprint" or "message digest" of the
input. The published attacks against both algorithms show that it is
not prudent to use either algorithm when collision resistance is
required.
[HASH-Attack] summarizes the use of hashes in Internet protocols and
discusses how attacks against a message digest algorithm's one-way
and collision-free properties affect and do not affect Internet
protocols. Familiarity with [HASH-Attack] is assumed.
Some may find the guidance for key lengths and algorithm strengths in
[SP800-57] and [SP800-131] useful.
2. SHA-0 Security Considerations
What follows are summaries of recent attacks against SHA-0's
collision, pre-image, and second pre-image resistance. Additionally,
attacks against SHA-0 when used as a keyed-hash (e.g., HMAC-SHA-0)
are discussed.
The U.S. National Institute of Standards and Technology (NIST)
withdrew SHA-0 in 1996. That is, NIST no longer considers it
appropriate to use SHA-0 for any transactions associated with the use
of cryptography by U.S. federal government agencies for the
protection of sensitive, but unclassified information. SHA-0 is
discussed here only for the sake of completeness.
Any use of SHA-0 is strongly discouraged. Analysis of SHA-0
continues today because many see it as a weaker version of SHA-1.
2.1. Collision Resistance
The first attack on SHA-0 was published in 1998 [CHJO1998] and showed
that collisions can be found in 2^61 operations. In 2006,
[NSSYK2006] showed an improved attack that can find collisions in
2^36 operations.
In any case, the known research results indicate that SHA-0 is not as
collision resistant as expected. The collision security strength is
significantly less than an ideal hash function (i.e., 2^36 compared
to 2^80).
Polk, et al. Informational [Page 2]
RFC 6194 SHA-0 and SHA-1 Security Consideration March 2011
2.2. Pre-Image and Second Pre-Image Resistance
The pre-image and second pre-image attacks published on reduced
versions of SHA-0 (i.e., less than 80 rounds) indicate that the
security margin of SHA-0 is resistant to these attacks. [deCARE2008]
showed a pre-image attack on 49 out of 80 rounds with complexity of
Show full document text