与 salted SHA512 相比,salted SHA1 有多不安全
SHA1 完全不安全,应该更换。
这个问题已经有8年多了,时代已经变了: https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
对于密码: https://en.wikipedia.org/wiki/PBKDF2
对于数据:SHA3
SHA512 更比 SHA1 复杂,但是与使用 512 进行散列相比,使用 SHA1 对加盐密码进行散列会损失多少安全性?就拥有数据库的人破解单个密码所需的时间而言。我使用的框架不能让我轻松访问 SHA512,我必须重写一些东西才能使其工作,所以我想只使用 SHA1,尽管过去我一直使用 SHA512。
SHA1 is completely insecure and should be replaced.
This question is 8+ years old and times have changed:
https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
For passwords: https://en.wikipedia.org/wiki/PBKDF2
For data: SHA3
SHA512 is more complex than SHA1, but how much security am I losing by hashing a salted password with SHA1 compared to hashing it with 512? in terms of the time it would take for someone who has the db to crack a single password. I'm using a framework that doesn't give me easy access to SHA512, I'd have to override stuff to make it work, so I'm thinking to just use SHA1, though in the past I've always used SHA512.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
当前已知的 SHA-1 弱点不会影响您尝试执行的操作的安全性。无法从散列版本恢复密码依赖于“原像抵抗”,据我们所知,这对于 SHA-1 来说仍然完全不可行。对于 SHA-512、SHA-256、甚至 MD4 或 MD5 也是完全不可行的。一个科幻导向的人可能会设想计算机在 2050 年左右能够找到 MD4 或 MD5 原像; SHA-1 需要更长的时间。
现在碰巧的是,虽然没有已知的在 SHA-1 上计算原像的捷径,但也几乎没有安全证据。用数学术语来说,如果 SHA-1 中使用的压缩函数与“随机预言”无法区分,那么它就可以安全地抵御原像。但 SHA-1 的已知弱点(理论上)会导致冲突,也表明其压缩函数不是随机预言。因此,SHA-1 针对原像的安全性不再是“有充分的数学理由说明它不会被破坏”的说法。它更像是“嗯,还没找到如何打破它”的那种。
更通俗地说,如果您使用 SHA-1,那么您可能必须为自己辩护。即使您没有做错任何事,您对 SHA-1 的选择也会受到质疑。而没有人会质疑使用 SHA-256 或 SHA-512,即使这意味着一些开发开销。简而言之,使用 SHA-1 是一种糟糕的公共关系。
请注意,加盐与该问题完全正交。加盐旨在防止针对不同密码实例的攻击之间成本分摊。预计算表(包括所谓的“彩虹表”)是一种共享(建表成本昂贵,但可用于攻击 2、10、10000 个密码,每个被攻击的密码只需少量额外成本)。加盐会打败共享。腌制是好的。击败共享很重要,因为攻击一个密码是可能的:不是因为散列函数,而是因为密码适合人脑,因此可以进行暴力破解(“字典攻击”)。对于与密码相关的任何事情,您不会因为哈希函数的弱点而遇到问题,而是因为您首先使用密码。
The currently known weaknesses on SHA-1 do not impact the security of what you are trying to do. Impossibility to recover the password from its hashed version relies on "preimage resistance" which is, as far as we know, still fully infeasible with SHA-1. It is also fully infeasible with SHA-512, SHA-256, or even MD4 or MD5. A Sci-Fi oriented mind may envision computers achieving the power to find preimages for MD4 or MD5 around year 2050; it will take much longer for SHA-1.
Now it so happens that while there is no known shortcut to computing preimages on SHA-1, there is little security proof either. In mathematical words, if the compression function used in SHA-1 is indistinguishable from a "random oracle" then it is secure against preimages. But the known weaknesses on SHA-1, which (theoretically) leads to collisions, also show that its compression function is not a random oracle. Therefore, the security of SHA-1 against preimages is no longer of the "there's good mathematical reason why it does not break" persuasion. It is more of the "meh, haven't found how to break it yet" kind.
In more mundane words, if you use SHA-1 then you will probably have to justify yourselves. Even if you do nothing wrong, your choice of SHA-1 will be questioned. Whereas nobody would question using SHA-256 or SHA-512, even if it implies some development overhead. Briefly stated, using SHA-1 is bad public relations.
Note that salting is fully orthogonal to that question. Salting is meant to prevent cost sharing between attacks on distinct password instances. Precomputed tables (including so-called "rainbow tables") are a kind of sharing (the table building is expensive but can be used to attack 2, 10, 10000 passwords at minor extra cost per attacked password). Salting defeats sharing. Salting is good. Defeating sharing is important because attacking one password is possible: not because of the hash function, but because a password is something which fits in a human brain, and therefore is amenable to brute force (a "dictionary attack"). With anything related to passwords, you will not get problems due to weaknesses in hash functions, but because you use passwords in the first place.
有证据表明 SHA1 算法存在安全漏洞,可能会导致攻击。我建议使用 SHA2 的变体(SHA 256 或 SHA 512)。
至于某人破解存储在不同哈希值中的密码需要多长时间,在不知道攻击者的处理能力、密码有多长、是否使用彩虹表、盐的随机性的情况下很难说,然而,如果算法有问题,则可能会导致更容易地找到散列值或等于相同散列的不同值(称为冲突),就像 MD5 的情况一样。
(来源和更多信息:http://en.wikipedia.org/wiki/SHA-1< /a>)
There has been proof of security vulnerabilities in the algorithm of SHA1, that could possibly lead to an attack. I would recommend using a variant of SHA2 (SHA 256 or SHA 512).
As far as how long it would take someone to crack a password stored in the varying hashes, it's difficult to say without knowing the processing power of the attacker, how long the passwords are, if they employ rainbow tables, how random the salts are, etc. However, if there is something wrong with the algorithm, it could possibly lead to a much easier way to find the hashed value or a different value that equates to the same hash (called a collision), as is the case of MD5.
(Source and more information: http://en.wikipedia.org/wiki/SHA-1)
如果您必须覆盖某些内容才能使
SHA1以外的任何内容正常工作,则必须在覆盖内容的复杂性(以及增加的错误机会)与算法强度之间进行权衡。如果您决定采用另一种哈希算法,您应该看看
BCrypt。它是一种适应性强的成本哈希算法,旨在“根据需要尽可能慢”。与SHA512相比,这会大大增加所需的破解时间。SHA512被设计为通用加密哈希,速度作为设计目标之一。SHA1中存在已知漏洞,但尚未发现原像攻击。因此,如果最重要的事情很困难,最好通过生成高熵随机盐来实现。话虽如此,使用最好的可用算法当然更好。
If you have to overwrite stuff to get anything other than
SHA1to work, you will have to balance complexity of overriding stuff (and the increased chance of bugs) against algorithm strength.If you decide to go for another hashing algorithm, you should take a look a
BCrypt. It is an adaptable cost hashing algorithm, designed to be 'as slow as needed'. This would provide a bigger increase in required cracking time thanSHA512.SHA512is designed as a general purpose cryptographic hash, with speed as one of the design goals.There are known vulnerabilities in
SHA1, but no preimage attack has yet been found. So if the overriding stuff is difficult, you could be better of by generating high entropy random salts.Having said that, it is of course better to use the best available algorithm.
SHA1 和 SH512 是消息摘要,它们从不意味着密码散列(或密钥派生)函数。 (尽管消息摘要可以用作 KDF 的构建块,例如在带有 HMAC-SHA1 的 PBKDF2 中。)
密码散列函数应该防御字典攻击和彩虹表。
目前,唯一的标准(如 NIST 批准的)密码散列或密钥导出函数是 PBKDF2。如果不需要使用标准,更好的选择是 bcrypt 和较新的 scrypt。维基百科拥有所有三个功能的页面:
页面位于 https://crackstation.net/hashing-security.htm 包含对密码安全性的广泛讨论。
SHA1 and SH512 are message digests, they were never meant to be password-hashing (or key-derivation) functions. (Although a message digest could be used a building block for a KDF, such as in PBKDF2 with HMAC-SHA1.)
A password-hashing function should defend against dictionary attacks and rainbow tables.
Currently, the only standard (as in sanctioned by NIST) password-hashing or key-derivation function is PBKDF2. Better choices, if using a standard is not required, are bcrypt and the newer scrypt. Wikipedia has pages for all three functions:
The page at https://crackstation.net/hashing-security.htm contains an extensive discussion of password security.