<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Parag Mali - tag: collision-attack</title><description>Posts tagged collision-attack.</description><link>https://paragmali.com/</link><language>en-US</language><lastBuildDate>Sun, 19 Jul 2026 05:08:43 GMT</lastBuildDate><atom:link href="https://paragmali.com/tags/collision-attack/rss.xml" rel="self" type="application/rss+xml"/><item><title>How the Hash Functions Broke in Real Life: MD5, Flame, SHATTERED, and the Long Death of SHA-1</title><link>https://paragmali.com/blog/how-the-hash-functions-broke-in-real-life-md5-flame-shattere/</link><guid isPermaLink="true">https://paragmali.com/blog/how-the-hash-functions-broke-in-real-life-md5-flame-shattere/</guid><description>MD5 and SHA-1 were genuinely, mathematically broken -- yet every real breach still needed a second failure: a deployment still trusting the dead hash.</description><pubDate>Fri, 17 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
**MD5 and SHA-1 -- the two hashes that once fingerprinted the entire internet -- are genuinely, mathematically broken.** Their collision resistance fell to cryptanalysis between 2004 and 2020. But every real breach they enabled -- the 2008 rogue certificate authority, 2012&apos;s Flame espionage malware, 2017&apos;s SHATTERED, 2020&apos;s Shambles -- needed a *second* failure beside the broken math: a deployment that had not yet stopped trusting the dead algorithm. That empirical record is the base rate that justifies migrating to SHA-2 and SHA-3, and it is why &quot;broken&quot; is narrower than you think: HMAC-SHA-1 is still fine, and preimage resistance held. Here is exactly what fell, what did not, and how to audit and migrate your own systems.
&lt;h2&gt;1. The Forged Certificate That Rode Windows Update&lt;/h2&gt;
&lt;p&gt;In the spring of 2012, espionage malware called Flame spread through the Middle East wearing a disguise almost nothing could see through: it arrived &lt;strong&gt;signed by Microsoft&lt;/strong&gt;, and reached some targets through &lt;strong&gt;Windows Update&lt;/strong&gt; itself [@kaspersky-flame-gadget]. To a defending machine, it looked like a legitimate patch from the one vendor it trusted most. To forge that signature, its operators did something the open cryptographic literature had not yet published. They engineered a &lt;em&gt;chosen-prefix collision&lt;/em&gt; in &lt;strong&gt;MD5&lt;/strong&gt; -- a hash academics had called broken since 2004 [@wang2004-md5-eprint] -- and counterfeited a certificate that chained up to Microsoft&apos;s own root of trust [@stevens-counter-crypto-c13].&lt;/p&gt;
&lt;p&gt;The certificate they forged was not a plainly-issued code-signing certificate. It was a &lt;strong&gt;Terminal Server Licensing Service&lt;/strong&gt; certificate living inside Microsoft&apos;s &lt;strong&gt;Enforced Licensing&lt;/strong&gt; public-key infrastructure -- an obscure corner of Microsoft&apos;s PKI that the company was, in 2012, &lt;em&gt;still signing with MD5&lt;/em&gt;. When Microsoft published Security Advisory 2718704 on 3 June 2012, the fix was to revoke exactly those certificates: the &quot;Microsoft Enforced Licensing Intermediate PCA&quot; and the &quot;Microsoft Enforced Licensing Registration Authority CA&quot; [@ms-advisory-2718704].&lt;/p&gt;

A deterministic function that compresses a message of any length into a short, fixed-length string called a digest (or hash). The same input always yields the same digest, a different input almost always yields a different one, and the function is designed to be one-way: easy to compute forwards, infeasible to invert.
&lt;p&gt;The unsettling part of Flame is not that the math failed. It is that the math had failed nearly a decade earlier, in a Chinese cryptographer&apos;s paper read at a 2004 conference, and Microsoft&apos;s licensing servers were &lt;strong&gt;still signing with it&lt;/strong&gt; eight years later. A broken primitive sat, patiently, underneath a live production certificate authority until someone with a nation-state budget decided to point a collision at it.&lt;/p&gt;
&lt;p&gt;Now hold one more artifact in your head, because you will learn to read it by the end of this article. It is a SHA-1 digest:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;38762cf7f55934b34d179ae6a4c80cadccbb7f0a&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;In February 2017, researchers at CWI Amsterdam and Google published two different PDF files that both hash to exactly that value [@shattered-2017]. Two distinct documents, one fingerprint -- a thing that was supposed to be computationally impossible for the hash guarding TLS certificates, Git commits, and software signatures across the internet.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Every break in this story needed two failures at once: a hash whose collision resistance had already fallen, and a deployment that had not yet stopped trusting it. Cryptanalysis was necessary. It was never, by itself, sufficient.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That diagnostic sentence is the spine of everything that follows. It is also why this article is the honest exception in &lt;a href=&quot;https://paragmali.com/blog/how-aes-breaks-in-real-life-the-attacks-that-never-touched-t/&quot; rel=&quot;noopener&quot;&gt;a series otherwise arguing that the deployment breaks, not the math&lt;/a&gt;. Here the math genuinely broke. And even here, on the one topic where the primitive itself fell, no attacker ever won on cryptanalysis alone. They won where broken math met a system still trusting it.&lt;/p&gt;
&lt;p&gt;So if MD5 was known-broken years before Flame, why was anything still signing with it? To answer that, we have to be precise about what a hash actually promises -- because only one of its promises is fragile, and it is the exact one a certificate leans on.&lt;/p&gt;
&lt;h2&gt;2. What a Hash Promises, and Which Clause Is Fragile&lt;/h2&gt;
&lt;p&gt;A cryptographic hash function makes three separate promises. They sound similar, they are routinely confused, and telling them apart is the difference between understanding this whole story and mis-stating it. Only one of the three is fragile, and it is the one certificates depend on.&lt;/p&gt;

Given a target digest `h`, it is infeasible to find any message `m` such that `hash(m) = h`. This is the &quot;one-way&quot; promise: you cannot run the function backwards from an output to an input.

Given a specific message `m1`, it is infeasible to find a *different* message `m2` with the same digest. The attacker is handed one input and must match its fingerprint with another.

It is infeasible to find *any* two messages `m1` and `m2`, both of the attacker&apos;s choosing, that produce the same digest. Nobody hands the attacker a target. They get to pick both sides. This is the weakest promise to keep, and the one every certificate and signature quietly relies on.
&lt;p&gt;The gap between those last two properties is not cosmetic; it is exponential, and it has a name.&lt;/p&gt;

For an `n`-bit digest, finding a collision takes only about `2^(n/2)` work, not `2^n`. The name comes from the birthday paradox: in a room of just 23 people, two probably share a birthday, because what matters is the number of *pairs*, which grows quadratically. Collisions among many hashes are similarly cheap.
&lt;p&gt;That square-root haircut is brutal. By that bound, a 128-bit MD5 digest [@rfc1321-md5] offers only about $2^{64}$ collision security, and a 160-bit SHA-1 digest only about $2^{80}$. Preimage and second-preimage attacks still cost close to the full $2^{128}$ or $2^{160}$, which is why -- spoiler for Section 8 -- those properties survived while collision resistance did not. When you hear &quot;MD5 is broken,&quot; the precise statement is &quot;MD5&apos;s roughly $2^{64}$ collision barrier fell far below $2^{64}$.&quot; It is not &quot;you can invert an MD5 hash.&quot;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Property&lt;/th&gt;
&lt;th&gt;Informal promise&lt;/th&gt;
&lt;th&gt;Generic attack cost&lt;/th&gt;
&lt;th&gt;What it protects&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Preimage resistance&lt;/td&gt;
&lt;td&gt;Cannot find any message for a given digest&lt;/td&gt;
&lt;td&gt;about &lt;code&gt;2^n&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Password storage, commitments&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Second-preimage resistance&lt;/td&gt;
&lt;td&gt;Cannot match a &lt;em&gt;given&lt;/em&gt; message&apos;s digest with another&lt;/td&gt;
&lt;td&gt;about &lt;code&gt;2^n&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Integrity of one known file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Collision resistance&lt;/td&gt;
&lt;td&gt;Cannot find &lt;em&gt;any&lt;/em&gt; two messages sharing a digest&lt;/td&gt;
&lt;td&gt;about &lt;code&gt;2^(n/2)&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Certificates, signatures, content addressing&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;h3&gt;One construction under all of them&lt;/h3&gt;
&lt;p&gt;MD5, SHA-1, and SHA-2 are not three unrelated designs. They are three members of one family, built from the same skeleton.&lt;/p&gt;

A design that turns a fixed-size compression function into a hash for arbitrary-length messages. You start from a fixed initial value (the IV), split the padded message into blocks, and feed each block plus the running state through the compression function. The final state is the digest.

flowchart LR
    IV[&quot;Fixed IV&quot;] --&amp;gt; F1[&quot;Compress&quot;]
    M1[&quot;Block 1&quot;] --&amp;gt; F1
    F1 --&amp;gt; F2[&quot;Compress&quot;]
    M2[&quot;Block 2&quot;] --&amp;gt; F2
    F2 --&amp;gt; F3[&quot;Compress&quot;]
    M3[&quot;Block 3 plus length padding&quot;] --&amp;gt; F3
    F3 --&amp;gt; D[&quot;Digest&quot;]
&lt;p&gt;Ronald Rivest published MD5 in April 1992 as RFC 1321, producing a 128-bit digest [@rfc1321-md5].Rivest is the &quot;R&quot; in RSA. MD5 was his hardened successor to MD4, and RFC 1321 says it &quot;backs off&quot; from MD4&apos;s speed for a &quot;greater likelihood of ultimate security.&quot; The US government&apos;s SHA lineage followed a parallel path: SHA (retroactively SHA-0) arrived in FIPS 180 in 1993, and SHA-1 replaced it in FIPS 180-1 on 17 April 1995 with a 160-bit digest [@fips-180-1].SHA-0 was withdrawn within about two years for an undisclosed weakness. SHA-1 differs from it by a single added one-bit rotation in the message schedule -- a fix whose importance Section 3 makes concrete.&lt;/p&gt;
&lt;h3&gt;Why a collision is a forgery&lt;/h3&gt;
&lt;p&gt;Here is the load-bearing fact that ties the fragile clause to the real world. A digital signature does not sign your whole message. It signs &lt;em&gt;the hash&lt;/em&gt; of your message, because the message may be gigabytes and the signing math is slow. The signer computes a digest, then encrypts that short digest with a private key.&lt;/p&gt;

flowchart TD
    M1[&quot;Message A, benign&quot;] --&amp;gt; H[&quot;Hash function&quot;]
    M2[&quot;Message B, malicious&quot;] --&amp;gt; H
    H --&amp;gt; D[&quot;One shared digest&quot;]
    D --&amp;gt; S[&quot;Signer signs the digest&quot;]
    S --&amp;gt; Sig[&quot;A single signature&quot;]
    Sig --&amp;gt; Cover[&quot;Valid for A and for B&quot;]
&lt;p&gt;Follow the consequence. If an attacker finds two messages with the same digest, and persuades someone to sign the harmless one, that same signature is automatically valid on the malicious one. The certificate authority signs a benign-looking certificate request; the attacker walks away with a valid signature on a forged certificate that shares its hash. Collision resistance is the &lt;em&gt;only&lt;/em&gt; thing standing between &quot;sign this document&quot; and &quot;you just signed a document you never saw.&quot;&lt;/p&gt;
&lt;p&gt;{`&lt;/p&gt;
&lt;p&gt;  const safe = [&quot;hmac&quot;, &quot;checksum&quot;, &quot;legacy-verify&quot;, &quot;kdf&quot;];&lt;/p&gt;
&lt;p&gt;  if (collisionDependent.includes(use)) {
    return &quot;MIGRATE -- collision-dependent, move to SHA-2 or SHA-3&quot;;
  }
  if (safe.includes(use)) {
    return &quot;OK -- collision resistance is not relied on&quot;;
  }
  return &quot;REVIEW -- ask: can an adversary supply both inputs and profit?&quot;;
}&lt;/p&gt;
&lt;p&gt;[&quot;certificate&quot;, &quot;hmac&quot;, &quot;git-object&quot;, &quot;checksum&quot;, &quot;code-signing&quot;].forEach(function (u) {
  console.log(u, &quot;-&amp;gt;&quot;, auditHashUse(u));
});
`}&lt;/p&gt;
&lt;h3&gt;Choosing a target&lt;/h3&gt;
&lt;p&gt;Once you know a use must move, pick the destination by requirement, not by fashion. &lt;strong&gt;SHA-256&lt;/strong&gt; is the FIPS default and the safe first answer: NIST tells designers to implement it at a minimum, and it is hardware-accelerated on modern CPUs [@fips-180-4-sha2, @nist-policy-hash]. Want length-extension resistance for free? &lt;strong&gt;SHA-512/256&lt;/strong&gt; truncates a wider computation and never leaks its full state [@fips-180-4-sha2]. Want structural diversity or an extendable-output function? Reach for &lt;strong&gt;SHA-3 or SHAKE&lt;/strong&gt; [@fips-202-sha3].&lt;/p&gt;
&lt;p&gt;If raw speed dominates and a FIPS stamp is not required, &lt;strong&gt;BLAKE3&lt;/strong&gt; is the fastest of the group and length-extension-immune [@blake3-repo]. And if you are stuck on a SHA-1 you cannot rip out this quarter, deploy &lt;code&gt;sha1dc&lt;/code&gt; collision detection the way Git did, then schedule the real migration behind it [@sha1dc-stevens-shumow-2017].&lt;/p&gt;
&lt;h3&gt;The mistakes, mapped to the breaks&lt;/h3&gt;
&lt;p&gt;Every common hashing mistake is a small echo of one of the four incidents. Naming the echo makes the fix obvious.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;The mistake&lt;/th&gt;
&lt;th&gt;The break it echoes&lt;/th&gt;
&lt;th&gt;The fix&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;MD5 or SHA-1 for certificates or code signing&lt;/td&gt;
&lt;td&gt;Rogue CA (2008), Flame (2012)&lt;/td&gt;
&lt;td&gt;SHA-256 signatures [@fips-180-4-sha2]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SHA-1 as a content-address or dedup key&lt;/td&gt;
&lt;td&gt;SHATTERED (2017)&lt;/td&gt;
&lt;td&gt;SHA-256 objects, &lt;code&gt;sha1dc&lt;/code&gt; as a stopgap [@sha1dc-stevens-shumow-2017]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SHA-1 for identity or Web-of-Trust signatures&lt;/td&gt;
&lt;td&gt;Shambles (2020), CVE-2019-14855&lt;/td&gt;
&lt;td&gt;Modern GnuPG on SHA-256 [@shambles-2020]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;H(secret || message)&lt;/code&gt; used as a MAC&lt;/td&gt;
&lt;td&gt;Length extension&lt;/td&gt;
&lt;td&gt;HMAC, or KMAC on SHA-3 [@rfc2104-hmac]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Assuming a collision break means a preimage break&lt;/td&gt;
&lt;td&gt;--&lt;/td&gt;
&lt;td&gt;Keep salted preimage and HMAC uses; migrate only collision-dependent ones [@nist-policy-hash]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Two pitfalls deserve their own warning because they masquerade as fixes. Swapping Ethereum&apos;s Keccak-256 for standardized SHA3-256 silently changes your digests [@fips-202-sha3]. And treating &lt;code&gt;sha1dc&lt;/code&gt; as a migration rather than a stopgap leaves you permanently one clever attack away from trouble; detection buys time, it does not end the dependency.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Whatever legacy you must tolerate, draw one hard line: never &lt;em&gt;generate&lt;/em&gt; a new MD5 or SHA-1 signature, certificate, or code-signing object. Every incident in this article began where a system was still willing to sign with a dead hash.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Internalize that audit question and these habits, and you have absorbed the base rate this whole history was written to establish. It remains only to name it.&lt;/p&gt;
&lt;h2&gt;11. The Base Rate&lt;/h2&gt;
&lt;p&gt;Return to the digest from the opening: &lt;code&gt;38762cf7f55934b34d179ae6a4c80cadccbb7f0a&lt;/code&gt;. You can read it now. It is a SHA-1 value shared by two different PDFs -- an &lt;em&gt;identical-prefix&lt;/em&gt; collision from SHATTERED, which means it proved SHA-1 dead for content addressing but could not, on its own, forge a certificate for a chosen identity [@shattered-2017]. That one artifact contains the whole argument in miniature: a real mathematical break, precisely scoped, whose damage depended entirely on what still trusted it.&lt;/p&gt;
&lt;p&gt;Stretch that artifact across nearly four decades. From MD5&apos;s publication in 1992 to the federally mandated retirement of its successor SHA-1 in 2030 is a thirty-eight-year empirical record [@rfc1321-md5, @nist-sha1-retire-2022]. Inside it sit four undisputed, reproducible, weaponized breaks -- the 2008 rogue CA, 2012&apos;s Flame, 2017&apos;s SHATTERED, 2020&apos;s Shambles. Four in twelve years, on two primitives that fell the same way, is not a scare story. It is a measured base rate, and it is the entire justification for migrating to SHA-2 and SHA-3.&lt;/p&gt;

Every break in this story needed two failures at once: a hash whose math had fallen, and a deployment that had not yet stopped trusting it.
&lt;p&gt;That is how this article honors the series&apos; thesis without lying about the mathematics. This is the one topic where the primitive genuinely fell -- and even here, cryptanalysis was necessary and never sufficient. RapidSSL had to still be signing with MD5. Microsoft&apos;s licensing PKI had to still be signing with MD5. GnuPG had to still default to SHA-1. The math was the loaded chamber; the still-live deployment pulled the trigger.&lt;/p&gt;
&lt;p&gt;And keep the boundary honest, because the slogan overreaches in both directions. &quot;Broken&quot; is scoped to collision-dependent uses: HMAC-SHA-1 survives on a proof, and preimage resistance held [@rfc2104-hmac, @nist-policy-hash]. The successors do not stand in a line of succession at all -- SHA-2 and SHA-3 coexist by diversification, one construction covering the other&apos;s structural blind spot.&lt;/p&gt;
&lt;p&gt;For the mechanisms of how the successors themselves could someday be attacked -- Merkle-Damgard collisions, length extension, and the sponge&apos;s algebraic frontier -- see the structural sibling to this piece, &lt;a href=&quot;https://paragmali.com/blog/how-sha-2-and-sha-3-would-break-merkle-damgard-collisions-le/&quot; rel=&quot;noopener&quot;&gt;&lt;em&gt;How SHA-2 and SHA-3 Would Break&lt;/em&gt;&lt;/a&gt;, along with the series&apos; dedicated hash and X.509/PKI field guides. The migration itself is not a debate. It is an argument the evidence already won. The only open question left is how fast the still-live tail catches up before the next drop in attack cost reaches the systems that forgot to.&lt;/p&gt;
&lt;h2&gt;12. Frequently Asked Questions&lt;/h2&gt;


Yes, for collision-dependent uses such as signatures and certificates, where its collision resistance has fallen far below the birthday bound. No, for its other promises: SHA-1 preimage resistance remains intact, and HMAC-SHA-1 is not broken by any collision attack [@rfc2104-hmac, @nist-policy-hash]. &quot;Broken&quot; is a statement about one property, not the whole function.


No, and the difference is the whole game. SHATTERED (2017) is an identical-prefix collision: it proved SHA-1 dead for content addressing but cannot forge a chosen identity [@shattered-2017]. Shambles (2020) is a chosen-prefix collision: strictly more powerful, and the capability that actually forges certificates and impersonates identities [@shambles-2020].


No. Git added `sha1dc` collision detection and an opt-in SHA-256 object format, but SHA-1 is still the default object format for most repositories [@sha1dc-stevens-shumow-2017, @git-hash-transition]. The transition is staged and largely unfinished; do not assume your repository has migrated.


Yes. HMAC&apos;s security reduces to the compression function acting as a pseudorandom function, not to collision resistance, so the collision attacks in this article do not apply. RFC 2104 stated this in 1997, and later proofs formalized it [@rfc2104-hmac]. You do not need to rip HMAC-SHA-1 out on account of SHATTERED or Shambles.


No. Antoine Joux showed in 2004 that multicollisions in iterated hashes make a concatenation only about as strong as its stronger component, not the sum of the two [@joux-multicollisions-c04]. Cascading broken hashes is a dead end; migrate to a single strong hash instead.


No. Ethereum uses the original Keccak padding, finalized before FIPS 202 changed the padding rule for standardized SHA-3. The two produce different digests for the same input, so the libraries are not interchangeable [@fips-202-sha3].


Yes, but narrowly. Non-adversarial checksums that detect accidental corruption, HMAC, key derivation, and verification of already-trusted legacy data are all acceptable, because none relies on an adversary being unable to find a collision [@nist-policy-hash]. Never use either for a new signature, certificate, or code-signing operation.

&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-hash-functions-broke-in-real-life&quot; keyTerms={[
  { term: &quot;Collision resistance&quot;, definition: &quot;The infeasibility of finding any two messages that share a digest. The fragile promise that fell for MD5 and SHA-1.&quot; },
  { term: &quot;Birthday bound&quot;, definition: &quot;Collision work is about 2 to the n over 2, not 2 to the n, so a 160-bit hash offers only 80-bit collision security.&quot; },
  { term: &quot;Identical-prefix collision&quot;, definition: &quot;Two near-twin messages that share a prefix and one digest. Breaks content addressing but cannot forge a chosen identity.&quot; },
  { term: &quot;Chosen-prefix collision&quot;, definition: &quot;Two different attacker-chosen prefixes driven to one digest. The hinge capability that turns a collision into a forgery.&quot; },
  { term: &quot;Merkle-Damgard construction&quot;, definition: &quot;The iterated compression design shared by MD5, SHA-1, and SHA-2, which also carries length extension as a structural liability.&quot; },
  { term: &quot;HMAC&quot;, definition: &quot;A keyed authenticator whose security rests on a pseudorandom-function assumption, not collision resistance, so HMAC-SHA-1 remains safe.&quot; }
]} questions={[
  { q: &quot;Why did a working MD5 collision in 2004 not immediately forge certificates?&quot;, a: &quot;It was an identical-prefix collision, which cannot encode two different chosen identities. Forgery needed the chosen-prefix capability from 2007.&quot; },
  { q: &quot;What were the two failures behind every breach in this article?&quot;, a: &quot;A hash whose collision resistance had already fallen, and a deployment that still trusted it, such as RapidSSL, Microsoft&apos;s licensing PKI, or GnuPG 1.4.&quot; },
  { q: &quot;Why do SHA-2 and SHA-3 both exist if neither is broken?&quot;, a: &quot;Diversification. SHA-3&apos;s sponge fails differently from Merkle-Damgard and is immune to length extension, so it is a structurally different backup.&quot; },
  { q: &quot;Is HMAC-SHA-1 affected by SHATTERED or Shambles?&quot;, a: &quot;No. HMAC does not rely on collision resistance, so those collision attacks do not compromise it.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>hash-functions</category><category>md5</category><category>sha-1</category><category>collision-attack</category><category>cryptography</category><category>sha-2</category><category>sha-3</category><category>pki</category><author>noreply@paragmali.com (Parag Mali)</author></item></channel></rss>