Skip Menu |

This queue is for tickets about the Digest-SHA CPAN distribution.

Report information
The Basics
Id: 11879
Status: resolved
Worked: 30 min
Priority: 0/
Queue: Digest-SHA
People
Owner: Nobody in particular
Requestors: tsee [...] gmx.net
Cc:
AdminCc:
Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Mar 15 10:49:29 2005 Guest - Ticket created
Subject: SHA broken
SHA-1 has been broken. It would be a good idea to suggest the use of better algorithms (or, at that, at least longer digests like SHA-512). I think it would be a good idea to mention that in the docs. Thank you!
  Tue Mar 15 17:40:58 2005 JCDUQUE [...] cpan.org - Correspondence added
RT-Send-CC: mshelor [...] cpan.org
[guest - Tue Mar 15 10:49:29 2005]: Show quoted text
> SHA-1 has been broken. It would be a good idea to suggest the use of > better algorithms (or, at that, at least longer digests like SHA-512). > > I think it would be a good idea to mention that in the docs. Thank > you!
Thanks for the update. But although one can find collisions in SHA-1 by examining at least 2^69 messages, this number is HUGE and sifting through this many messages is still out of reach of current technology; so there should be no reason to panic. Anyway, there is still SHA- 224/384/512, Whirlpool and Haval256 to choose from if you're the paranoid type.
  Tue Mar 15 17:50:37 2005 mshelor [...] cpan.org - Correspondence added
[guest - Tue Mar 15 10:49:29 2005]: Show quoted text
> SHA-1 has been broken. It would be a good idea to suggest the use of > better algorithms (or, at that, at least longer digests like SHA-512). > > I think it would be a good idea to mention that in the docs. Thank > you!
Agreed. The crypto community appears to recommend SHA-256 as the natural replacment for SHA-1. AFAIK, HMAC-SHA-1 is still secure. The docs for v. 5.29 will be updated with an appropriately cautionary note. Thus far, I've seen no actual SHA-1 collisions, but nonetheless accept the fact that its security has been effectively reduced to 2^69. Mark
  Mon Aug 15 22:57:37 2005 mshelor [...] cpan.org - Status changed from 'new' to 'resolved'
  Mon Aug 15 22:57:37 2005 mshelor [...] cpan.org - Correspondence added 30 min
I've added a CAUTIONARY NOTE to the docs for Digest::SHA and Digest::SHA::PurePerl (as of version 5.30). The NOTE warns of the SHA-1 break, and advises that the stronger SHA-256 algorithm should be used in security-critical applications.