Security

I've been working on some encryption methods lately for an application that I'm developing. One type uses PGP encryption and another uses the SHA family style encryption. After doing some research on the various levels of encryption within the the SHA family, I saw that three years ago that 3 Chinese Researchers were able to break SHA-1.

The rise of distributed computing greatly decreases the time it takes to find such collisions. For example, the collision found in the SHA-1 in 2**69 hash operations. This is much less than a brute-force attack, which is about 2**80 operations. This was based on an attack using distributed systems, which is only going to get better in the future.

Bruce Schneier has been warning people to move away from SHA-1 for quite a while now (months before the collisions where found, over 3 years ago!) however, people are still using it. My advice is move to something more secure, specifically SHA-256 or SHA-512 (both are government standards). These two are better options for now until NIST comes up with a new standard. Currently they have an open competition for a new New Hash Algorithm.

For your Ruby applications, you can require 'digest/sha2' instead of 'digest/sha1' and you can do something like:

1   require 'digest/sha2'
2   
3   Digest::SHA512.hexdigest(data)
Implementing this now, will get you ahead of the curve, especially if you are working on higher level of security applications. For some applications, you may not need to worry too much about using SHA-1, but it's better to know what's going on, then not.