Ask HN: Can we still trust SHA-1 and SHA-2 created by NSA? - theboywho
======
lmm
Yes (at least, as much as we could before; SHA1 in particular has been showing
weaknesses). They are still the hash functions that have had the most
attention from the academic community, and so far no workable attacks have
been found.

------
ig1
SHA-1 should be assumed to be broken in any case.

The Flame malware was distributed using a fake certificate that was generated
via a brand new (publicly unknown) chosen prefix collision technique against
SHA-1.

~~~
tptacek
Flame used an MD5 collision.

~~~
ig1
The Microsoft certificate revokation list for Flame:

    
    
       Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:
    
       Microsoft Enforced Licensing Intermediate PCA (2 certificates) 
       Microsoft Enforced Licensing Registration Authority CA (SHA1)
    

(from [http://technet.microsoft.com/en-
us/security/advisory/2718704](http://technet.microsoft.com/en-
us/security/advisory/2718704))

Two of the certs were MD5, the third was SHA1.

~~~
tptacek
The hash collision exploited by Flame was in MD5, not SHA1.

------
isaacb
These aren't closed algorithms. They are well understood and explored in-depth
by the academic community.

------
tptacek
Yes, but you shouldn't anyways; SHA-2 is inferior to SHA-3.

SHA-3 is the product of a peer-reviewed cryptographic contest.

------
EthanHeilman
Why not use Keccak/SHA-3 instead, it was developed in an open competition run
by NIST with some NSA involvement.

[http://en.wikipedia.org/wiki/SHA-3](http://en.wikipedia.org/wiki/SHA-3)

------
jayfuerstenberg
BCrypt is superior to the SHA family of hash algorithms.

That should be reason enough not to use SHA.

~~~
tptacek
This is a non sequitur. BCrypt isn't an alternative to SHA hashes; it's a
password storage construction.

------
venomsnake
As much as you could trust them 5 days ago.

While SHA-1 should not be trusted too much because it has shown possible
theoretical attacks SHA-2 still holds. Also these kind of things are IP -
there are a lot of eyeballs and scrutiny going on.

There is much bigger chance of fraked up implementation that will make it
insecure than the theory - there are a lot of independent researchers that
have scrutinized them quite a bit. And while I am sure NSA employs a lot of
very capable people they do not hold monopoly on world class cryptographers.

