It is conjectured that SHA-1 has been broken from the "research" perspective, but not in the real world; that is, there exists an algebraic attack that explores weaknesses on its algebraic construction. The same happens for MD5, but MD5 has been practically broken by finding collisions in the real world. Can we still use HMAC with SHA-1 and be secure against preimage, second preimage and collisions?
Asked
Active
Viewed 957 times
1 Answers
14
I would recommend phasing out SHA-1 in any scenario where collision-resistance of a hash is required, for there is a wide consensus that an attack with $2^{69}$ complexity would work, it would already be feasible by a resourceful entity, and attacks only get better.
I'm still confident that SHA-1 is preimage and second-preimage resistant for all practical purposes in the foreseeable future, when its full output is used. Nevertheless, I would prefer SHA-256 or RIPEMD-160 when they are possible options.
I'm still confident that HMAC with SHA-1 is secure in any scenario where HMAC's key is assumed secret, for all practical purposes in the foreseeable future; this is because an improved security argument for HMAC remains valid with weak assumptions on the underlying (round function of the) hash. I could recommend it in a MAC application where using a tarnished name is not an issue, and speed matters.
Update: A collision for SHA-1 was published in February 2017 (4 years after this answer was written). It took an effort comparable to $2^{63}$ hashes (less than the $2^{69}$ consensual by 2013, but more than the $2^{61}$ of the best claimed theoretical approach, which turned out to have a few rough edges). The phasing out of the first paragraph has become a must. The second and third paragraph of the answer remain valid.
