SHA-1 Collision Irrelevance

In February of 2005, a group of Chinese researchers developed an algorithm for finding SHA-1 hash collisions faster than brute force[22]. They proved it possible to find collisions in the full 80-step SHA-1 in less than 2⁶⁹ hash operations, about 2,000 times faster than brute force of the 2⁸⁰ hash operation theoretical bound. The paper also includes search attacks for finding collisions in the 58-step SHA-1 in 2³³ hash operations and SHA-0 in 2³⁹ hash operations. The biggest impact that this discovery has pertains to use of SHA-1 hashes in digital signatures and technologies where one of the pre-images is known. By searching for a second pre-image which hashes to the same value as the original, a digital signature for the original may theoretically be used to authenticate a forgery.

The use of SHA-1 by the SteganRTP reference implementation is solely to compute a bit-pad of keying information with a longer, seemingly more random bit distribution than what is likely provided directly by user input as the shared secret. The result of the SHA-1 hash of the user's shared secret is used directly as keying information. In order to launch a collision attack against the hash used as the bit-pad, the attacker would have to either obtain the original user-supplied shared secret or the hash itself. Due to the hash being used directly as keying information, the possession of it by an attacker has already compromised the security of the data being obfuscated with it; computing one or more additional pre-images which hash to a collision provides no additional value for the attacker.