Wednesday, July 11, 2012

Interesting use of SHA-1 hashes

By Vasudev Ram

Came across an interesting use of the cryptographic hash function SHA-1 recently: see this post by Steve Losh about his simple command-line to-do list tool called "t" (no, not a typo :)

Reading that post reminded me of using SHA-1 hashes in a web-based product I worked on some years ago. Before using them, I googled a bit for info, and found a post by security expert Bruce Schneier stating that SHA-1 is broken. So I wrote a small wrapper to do some custom encryption over and above what SHA-1 provided. Can't go into the details, due to the NDA I signed. I am not a security expert, but I think what I did may have improved the security of the product.

UPDATE: I just re-read Schneier's SHA-1 post (linked above), and saw that he has updated it. The last link in his original post is a link to the update (a separate post), which is also interesting, and in which he gives further details of the security issues involved and how SHA-1 was found to be broken.

Vasudev Ram
- | @vasudevram |

- Vasudev Ram - Dancing Bison Enterprises

No comments: