Collision Search Attacks on SHA1[/url]
This only demonstrates a collision of SHA1 with a reduced number of rounds. Their research does reduce the complexity of an attack on full the 80-round SHA1, but not enough that anyone has been able to produce a full collision.
Scary stuff, and a very good reason to move to something better, but, at least for now, an attacker can't tamper with a file without changing the SHA1 hash.
By the way, I am using the term "broken" to mean that actual collisions have been found or could reasonably be found with current technology. If you use "broken" to mean that there is a known attack faster than a birthday attack, then SHA1 is definitely broken.
That is the right authors, but not the later paper, they have another one that shows it to be much weaker yet. Came out about 4 or 5 months later. It is not recommended to use sha-1 in any new projects any more. I personally would use two very different hashing algos to publish official binaries for something like bitcoins.
I do think we may be using different definitions, I think you are talking about what I would call cracked, and it is not cracked yet in any public papers I know of.
There are more attack that do make it weaker. Just no collisions yet. But I completely agree that it should not be used in new projects.
Bruce Schneier
agrees with you the this counts as "broken." I am just not a big fan of that specific definition of broken since it would mean that algorithms like AES that are still quite strong would count as "broken."
While we are on this side topic, I would like to point out that hosting the signature files right along side the binaries is also probably not the best idea. If I can replace files on sf I would just replace both now.
Sure, you could replace SHA1SUMS.asc, but you wouldn't be able to change it without invalidating the PGP signature.