The National Software Reference Library Banner

The National Software Reference Library Logo

NSRL Project

Privacy Policy/Security Notice
Disclaimer | FOIA

NIST is an agency of the
U.S. Commerce Department

Date created: 8/20/2003
Last updated: July 25, 2007

Technical comments: nsrl@nist.gov

Website comments: web897@nist.gov

NSRL and Recent Cryptographic News

August 19, 2004

The NSRL staff have received questions about the announcement of a SHA-0 collision at the CRYPTO 2004 conference, as well as other collisions. NIST staff from the Computer Security Division were in attendance, and the statements here are meant to reflect the ramifications of the announcement on the NSRL, not on general cryptography nor on hashing applications elsewhere. One of the NIST attendees has communicated to the NSRL project that "nothing presented at Crypto 2004 indicated that SHA-1 has been broken."

NSRL staff have confirmed the SHA-0 collision that was identified by using two differing 2048 bit files. The SHA-0 algorithm was known to be flawed, which is why it was superceded by SHA-1.

The two colliding files have different MD5, SHA-1 and SHA-256 hash values.

The work performed to compute the two colliding files was considerable:

"The computation was performed on TERA NOVA (a 256 Intel-Itanium2 system developped by BULL SA, installed in the CEA DAM open laboratory TERA TECH). It required approximatively 80 000 CPU hours. The complexity of the attack was about 2^51."

This was not a "pre-image" attack; that is, the researchers did not identify a known file in the NSRL and attempt to generate a differing file of the same size with a matching hash value.

Based on the points above, the NSRL project does not see any fatal ramifications from the collision announcement.

There are known MD5 collisions and weaknesses, and MD5 is not recognized by FIPS 140-2, Security Requirements for Cryptographic Modules. The NSRL data provides an MD5 to SHA-1 mapping to facilitate the migration away from MD5.

Attempts to apply the methods used to break SHA-0 and MD5 so far have not succeeded when applied against SHA-1. However, SHA-1 will be superceded in 2010 by FIPS 180-2, Secure Hash Standard (SHA-224, SHA-256, SHA-384 and SHA-512). The NSRL data will provide a SHA-1 to SHA-256 mapping to facilitate the migration away from SHA-1.

If the risk of applying only one hash value is above accepted levels, multiple hash values may be used to reduce the risk. For example, if MD5 alone cannot provide a certain level of assurance, use both MD5 and SHA-1 in combination with the file size. The NSRL provides several hash values and the file size, and it is highly improbable that a pre-image attack will be found soon that can generate a combination of hash collisions.

The NSRL processing environment is very flexible, and can accomodate any future hashing algorithms that may be necessary. In fact, we welcome suggestions; as we process terabytes of data, we can research alternative algorithms.

If you have further questions, please contact nsrl@nist.gov