1 Reply Latest reply on Sep 27, 2006 12:56 PM by Justin Suissa

    Upgrading the security hash

      Forgive me for I am new :). I am going through the docs and learning about the product and came accross the statements that BladeLogic used SHA1 figerprints to establish communication when SHA1 has been compromised. Why has SHA1 not been upgrade to something that has not been compromised?


      "SHA-1 was considered to be the successor to MD5, an earlier, widely-used hash function. Both are reportedly compromised. In some circles, it is suggested that SHA-256 or greater be used for critical technology."




      I am just curious...


      Michael Ford

      AE - King of Prussia

        • 1. Re: Upgrading the security hash

          Hey Michael,


          I can't really speak to why SHA-1 is the hash of choice, however for BladeLogic's purposes, it seems very safe.


          When they talk about a cryptographic hash being broken, that doesn't necessarily mean we can reverse what is hashed and extract keys. In the case of SHA-1, we actually can't do that. The papers released on SHA-1 describe how it is possible to determine collisions in something like 263 rather than 280 (brute force). That's still a massive amount of computation, and the best our attacker could hope for is a collision (meaning he now has another value, which could be garbage, that has the same hash as the one he is exploiting...or she). This could be a problem in cases where digital signatures are used. If I recall, if you have 10,000 custom ASICs that can each perform 2 billion hash operations per second, the attack would take about one year.