Collission attacks against SHA1

This news was posted on Bruce Schneier's weblog as an announcement, describing a paper that is not currently available publicly.

In itself, this does not render other secure hashing algorithms useless, but note that a recent attack made MD5 and SHA0 (a.k.a. SHA) less reliable also -- these attacks were more constrained in form than this one, but are of similar impact for the forms they address. And if there's anything you don't want from a hash, is having to wonder what forms can safely be put into them.

The root certificates of OpenFortress use SHA1 in their self-signature, and to sign lower level certificates. Although the RSA private keys in these certificates are not threatened by this problem, the root certificates are now less secure.

There is no need for short-term panic though. The attacks described above are all collision attacks -- meaning, they make it possible to find two hash inputs with the same output. Although this would make certain attacks possible, it does not directly endanger our root certificates -- because finding another hash input with a given output (namely, the value used in the certificate's signature) is quadratically as difficult as these collision attacks.

Signatures that use SHA1 over data provided (in part or in whole) from a potentially unreliable source is not automatically secure anymore. For example, signatures over certificates incorporating a person's identity. The reason is that such data sources can prepare two pieces of data with the same SHA1 hash, have one signed and but actually use the other, exploiting it with the signature that was not actually intended for it.

There is a easier version of this document on the security weblog.