Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms
RFC 6194

Document Type RFC - Informational (March 2011; Errata)
Was draft-turner-sha0-sha1-seccon (individual in gen area)
Authors Tim Polk  , Lily Chen  , Sean Turner  , Paul Hoffman 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 6194 (Informational)
Action Holders
Consensus Boilerplate Unknown
Telechat date
Responsible AD Peter Saint-Andre
Send notices to (None)
Internet Engineering Task Force (IETF)                           T. Polk
Request for Comments: 6194                                       L. Chen
Category: Informational                                             NIST
ISSN: 2070-1721                                                S. Turner
                                                              P. Hoffman
                                                          VPN Consortium
                                                              March 2011

                      Security Considerations for
             the SHA-0 and SHA-1 Message-Digest Algorithms


   This document includes security considerations for the SHA-0 and
   SHA-1 message digest algorithm.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Polk, et al.                  Informational                     [Page 1]
RFC 6194         SHA-0 and SHA-1 Security Consideration       March 2011

1.  Introduction

   The Secure Hash Algorithms are specified in [SHS].  A previous
   version of [SHS] also specified SHA-0.  SHA-0, first published in
   1993, and SHA-1, first published in 1996, are message digest
   algorithms, sometimes referred to as hash functions or hash
   algorithms, that take as input a message of arbitrary length and
   produce as output a 160-bit "fingerprint" or "message digest" of the
   input.  The published attacks against both algorithms show that it is
   not prudent to use either algorithm when collision resistance is

   [HASH-Attack] summarizes the use of hashes in Internet protocols and
   discusses how attacks against a message digest algorithm's one-way
   and collision-free properties affect and do not affect Internet
   protocols.  Familiarity with [HASH-Attack] is assumed.

   Some may find the guidance for key lengths and algorithm strengths in
   [SP800-57] and [SP800-131] useful.

2.  SHA-0 Security Considerations

   What follows are summaries of recent attacks against SHA-0's
   collision, pre-image, and second pre-image resistance.  Additionally,
   attacks against SHA-0 when used as a keyed-hash (e.g., HMAC-SHA-0)
   are discussed.

   The U.S. National Institute of Standards and Technology (NIST)
   withdrew SHA-0 in 1996.  That is, NIST no longer considers it
   appropriate to use SHA-0 for any transactions associated with the use
   of cryptography by U.S. federal government agencies for the
   protection of sensitive, but unclassified information.  SHA-0 is
   discussed here only for the sake of completeness.

   Any use of SHA-0 is strongly discouraged.  Analysis of SHA-0
   continues today because many see it as a weaker version of SHA-1.

2.1.  Collision Resistance

   The first attack on SHA-0 was published in 1998 [CHJO1998] and showed
   that collisions can be found in 2^61 operations.  In 2006,
   [NSSYK2006] showed an improved attack that can find collisions in
   2^36 operations.

   In any case, the known research results indicate that SHA-0 is not as
   collision resistant as expected.  The collision security strength is
   significantly less than an ideal hash function (i.e., 2^36 compared
   to 2^80).

Polk, et al.                  Informational                     [Page 2]
RFC 6194         SHA-0 and SHA-1 Security Consideration       March 2011

2.2.  Pre-Image and Second Pre-Image Resistance

   The pre-image and second pre-image attacks published on reduced
   versions of SHA-0 (i.e., less than 80 rounds) indicate that the
   security margin of SHA-0 is resistant to these attacks.  [deCARE2008]
   showed a pre-image attack on 49 out of 80 rounds with complexity of
Show full document text