与盐腌的SHA512相比,盐腌的SHA1有多不安全 [英] How insecure is a salted SHA1 compared to a salted SHA512
问题描述
This question is 8+ years old and times have changed: https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
对于密码: https://en.wikipedia.org/wiki/PBKDF2
对于数据:SHA3
SHA512比SHA1更复杂,但是与使用512哈希盐渍密码相比,使用SHA1哈希盐渍密码会使我损失多少安全性?对于拥有数据库的人来说,破解单个密码所花费的时间.我使用的框架无法让我轻松访问SHA512,我不得不重写一些东西才能使其正常工作,因此我考虑只使用SHA1,尽管过去我一直使用SHA512.
SHA512 is more complex than SHA1, but how much security am I losing by hashing a salted password with SHA1 compared to hashing it with 512? in terms of the time it would take for someone who has the db to crack a single password. I'm using a framework that doesn't give me easy access to SHA512, I'd have to override stuff to make it work, so I'm thinking to just use SHA1, though in the past I've always used SHA512.
推荐答案
SHA-1当前已知的弱点不会影响您尝试执行的操作的安全性.无法从其哈希版本恢复密码取决于原像抵抗",据我们所知,SHA-1仍然无法完全实现. SHA-512,SHA-256甚至MD4或MD5也完全不可行.面向科幻的思维者可能会想到,计算机将能够在2050年左右找到MD4或MD5的原像. SHA-1将花费更长的时间.
The currently known weaknesses on SHA-1 do not impact the security of what you are trying to do. Impossibility to recover the password from its hashed version relies on "preimage resistance" which is, as far as we know, still fully infeasible with SHA-1. It is also fully infeasible with SHA-512, SHA-256, or even MD4 or MD5. A Sci-Fi oriented mind may envision computers achieving the power to find preimages for MD4 or MD5 around year 2050; it will take much longer for SHA-1.
现在,碰巧发生了,尽管尚无已知的在SHA-1上计算原像的捷径,但也几乎没有安全证明.用数学的话来说,如果SHA-1中使用的压缩函数与随机预言"是无法区分的,那么它对于原像是安全的.但是,SHA-1的已知弱点(从理论上讲)会导致冲突,这也表明SHA-1的压缩功能不是随机预言.因此,SHA-1对原像的安全性不再是说不出有充分的数学理由,为什么它不会破裂"的说服力.更多的是嗯,还没有找到如何破解它的方法."
Now it so happens that while there is no known shortcut to computing preimages on SHA-1, there is little security proof either. In mathematical words, if the compression function used in SHA-1 is indistinguishable from a "random oracle" then it is secure against preimages. But the known weaknesses on SHA-1, which (theoretically) leads to collisions, also show that its compression function is not a random oracle. Therefore, the security of SHA-1 against preimages is no longer of the "there's good mathematical reason why it does not break" persuasion. It is more of the "meh, haven't found how to break it yet" kind.
简而言之,如果您使用SHA-1,那么您可能必须证明自己是正确的.即使您没有做错任何事情,您对SHA-1的选择也会受到质疑.没有人会质疑使用SHA-256或SHA-512,即使这暗示了一些开发开销.简而言之,使用SHA-1不利于公共关系.
In more mundane words, if you use SHA-1 then you will probably have to justify yourselves. Even if you do nothing wrong, your choice of SHA-1 will be questioned. Whereas nobody would question using SHA-256 or SHA-512, even if it implies some development overhead. Briefly stated, using SHA-1 is bad public relations.
请注意,盐析与该问题完全正交.盐析是为了防止针对不同密码实例的攻击之间的成本分担.预先计算的表(包括所谓的彩虹表")是一种共享(表的构建很昂贵,但可以用来攻击2、10、10000个密码,但每个被攻击的密码要花费很少的额外费用).腌制失败了分享.加盐很好.击败共享很重要,因为可以攻击一个密码:不是因为哈希功能,而是因为密码是一种适合人脑的密码,因此容易受到暴力攻击(字典式攻击").使用任何与密码相关的东西,都不会因为哈希函数的弱点而出现问题,而是因为您首先使用了密码.
Note that salting is fully orthogonal to that question. Salting is meant to prevent cost sharing between attacks on distinct password instances. Precomputed tables (including so-called "rainbow tables") are a kind of sharing (the table building is expensive but can be used to attack 2, 10, 10000 passwords at minor extra cost per attacked password). Salting defeats sharing. Salting is good. Defeating sharing is important because attacking one password is possible: not because of the hash function, but because a password is something which fits in a human brain, and therefore is amenable to brute force (a "dictionary attack"). With anything related to passwords, you will not get problems due to weaknesses in hash functions, but because you use passwords in the first place.
这篇关于与盐腌的SHA512相比,盐腌的SHA1有多不安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
