在各种平台中对SHA-2的支持状态如何? [英] What's the state of support for SHA-2 in various platforms?
问题描述
显然有一些弱点在导致这一决定的SHA-1中。任何人都可以在这个决定的基础上详细说明吗?在商业应用中是否会使用SHA-1?
我真正的问题是:
- 在各种类库和平台中支持SHA-2?
- 我应该尝试移动到SHA-2吗??
对主流平台感兴趣:.NET,Java,C / C ++,Python,Javascript等。在过去的几年中,Sha1,Sha0,md4和md5都被认为是不安全的。问题是,如果攻击者可以生成2个不同的消息产生相同的结果散列,这称为冲突。这导致了很多PKI的问题,密码管理,文件完整性检查等等。目前sha1只能提供攻击者能够触及的2 ^ 52位安全性。 SHA-256(sha2系列的最小成员)提供2 ^ 256位。
所有平台都应该有SHA-256实现,尽管并非所有平台都是原生的。在PHP中,你必须使用mhash扩展。它令人困惑,有些平台不提供安全的哈希函数,我真的相信它,因为他们不关心安全。在PHP的情况下,我知道他们不喜欢不关心保安。
目前SHA-2没有什么问题,并且它具有非常大的安全系数。如果你确实是偏执狂,你可以使用SHA-512。 Sha-3将于2012年推出,您应该使用sha-2(比如 PASSWORDS )修补任何可能的内容,然后在可行的情况下移动到SHA-3,但SHA-512对于非常适合非常适合长时间。
I read that SHA-1 is being retired from the FIPS 180-2 standard.
Apparently there are weaknesses in SHA-1 that led to this decision. Can anyone elaborate on the basis for that decision? Are there implications for the use of SHA-1 in commercial applications?
My real questions are:
- What is the state of SHA-2 support in various class libraries and platforms?
- Should I attempt to move to SHA-2?
Interested in mainstream platforms: .NET, Java, C/C++, Python, Javascript, etc.
Sha1, Sha0, md4 and md5 have all been found to be insecure over the past few years. The problem is that if an attacker can generate 2 different messages that produce the same resulting hash, this is called a collision. This causes a lot of problems for PKI's, password management, file integrity checks and more. Currently sha1 only provides 2^52 bits of security which is within reach of attackers. Where as SHA-256 (smallest member of the sha2 family) is provides 2^256 bits.
All platforms should have a SHA-256 implementation, although not all of them are native. In PHP you have to use the mhash extension. Its rather baffling that some platforms don't provide secure hash functions, I honestly believe its because they don't care about secuirty. In the case of PHP I know for a fact that they don't care about secuirty.
Currently there is nothing wrong with SHA-2 and it has a very large margin of safety. You can use SHA-512 if you are really paranoid. Sha-3 will be out in 2012, you should patch whatever you can with sha-2 like your PASSWORDS, and then move to SHA-3 when you can but SHA-512 will be good for a VERY long time.
这篇关于在各种平台中对SHA-2的支持状态如何?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
