Revision as of 00:52, 16 May 2024 edit Mikhail Ryazanov (talk \| contribs) Extended confirmed users 22,725 edits m →‎Applications: fmt. ← Previous edit		Revision as of 18:53, 16 May 2024 edit undo ArnoldReinhold (talk \| contribs) Autopatrolled, Administrators 31,052 edits →‎Cryptanalysis and validation: see Password cracking Next edit →
Line 67: For a hash function for which ''L'' is the number of bits in the message digest, finding a message that corresponds to a given message digest can always be done using a brute force search in approximately 2<sup>''L''</sup> evaluations. This is called a [[preimage attack]] and may or may not be practical depending on ''L'' and the particular computing environment. However, a ''collision'', consisting of finding two different messages that produce the same message digest, requires on average only about {{nowrap\|1.2 × 2<sup>''L''/2</sup>}} evaluations using a [[birthday attack]]. Thus the [[Security level\|strength]] of a hash function is usually compared to a symmetric cipher of half the message digest length. SHA-1, which has a 160-bit message digest, was originally thought to have 80-bit strength. Some of the applications that use cryptographic hashes, like password storage, are only minimally affected by a collision attack. Constructing a password that works for a given account requires a [[preimage attack]], as well as access to the hash of the original password, which may or may not be trivial. Reversing password encryption (e.g. to obtain a password to try against a user's account elsewhere) is not made possible by the attacks. (However, even a secure password hash can't prevent brute-force attacks on [[password strength\|weak passwords]].) ''See'' [[Password cracking]]. In the case of document signing, an attacker could not simply fake a signature from an existing document: The attacker would have to produce a pair of documents, one innocuous and one damaging, and get the private key holder to sign the innocuous document. There are practical circumstances in which this is possible; until the end of 2008, it was possible to create forged [[Transport Layer Security\|SSL]] certificates using an [[MD5]] collision.<ref>{{cite web\|first1=Alexander \|last1=Sotirov\|first2=Marc \|last2=Stevens\|first3=Jacob \|last3=Appelbaum\|first4=Arjen \|last4=Lenstra\|first5=David \|last5=Molnar\|first6=Dag Arne \|last6=Osvik\|first7=Benne \|last7=de Weger\|url=http://www.win.tue.nl/hashclash/rogue-ca/\|title=MD5 considered harmful today: Creating a rogue CA certificate\|access-date=March 29, 2009\|date=December 30, 2008}}</ref>

SHA-1: Difference between revisions