WTF ... IS WTF!?
We are a collective of people who believe in freedom of speech, the rights of individuals, and free pancakes! We share our lives, struggles, frustrations, successes, joys, and prescribe to our own special brand of humor and insanity. If you are looking for a great place to hang out, make new friends, find new nemeses, and just be yourself, is your new home.

NSA's SHA-1 Hash Broken


From the Slashdot (*duck*) article.
"From Bruce Schneier's weblog: 'SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper announcing their results...'" Note, though, that Scheier also writes "The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team."

For reference:
SHA-1 is RFC 3174
Wikipedia Entry:
NIST Summary:

SHA-1 is generally considered to be one of the most secure hashes available (Invented by the NSA, IIRC).

One of the major factors is that SHA is used for password hashes in a huge number of applications. A hash is supposed to be able to be infeasible to go backwards to the original plain-text. This is used for password storage because since it's unable to go backwards even if you have the password table it does no good. To check the password: When a password is entered for authorization you hash it again to see if it matches.

Example hash: The quick brown fox jumps over the lazy dog = 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12

There are multiple possible inputs for similar SHA-1 outputs just like md5. All you have to do is get a match, and you've effectively guessed someone's password. If you're at a login and "dogs" and "elephants" produces the same hash, it doesn't matter if you're password is really the first, as the second will work.