I agree with Werner specifically that it seems premature to jump
onto SHA-256, at this time of flux in the cryptographic commmunity's
understanding of hash functions. MD5 and several other comparable hashes
are broken but the techniques are still secret and unpublished AFAIK.
Reduced forms of SHA-1 have some attacks but the full version is still OK.
There were even comments suggesting that the SHA-256 family may not be
as secure as was previously believed.
I haven't heard much more about these since then. Looking at the IACR
eprints archive, I find http://eprint.iacr.org/2005/010 from January 2005,
by Rijmen and Oswald:
"We report on the experiments we performed in order to assess the security
of SHA-1 against the attack by Chabaud and Joux. We present some ideas for
optimizations of the attack and some properties of the message expansion
routine. Finally, we show that for a reduced version of SHA-1, with 53
rounds instead of 80, it is possible to find collisions in less than
$2^{80}$ operations."
That's the known state of the art, and it's not terribly worrisome,
but these researchers are not employing the secret Chinese techniques.
SHA-1 is structurally similar to MD5 so there is reason to fear that the
MD5 break could be extended to SHA-1, either by the original researchers,
or by others once they publish their methods. OTOH SHA-1 does have some
twists and complexity that MD5 does not, which could immunize it against
the attacks.
The information on SHA-256 is available at http://eprint.iacr.org/2004/207,
by Hawkes et al. While this is not an attack, it shows flaws in an
earlier analysis that suggested that the SHA-256 family was strong in
certain ways.
All in all the field is in turmoil these days. I would hesitate to take
any steps right now with the hash functions, beyond of course deprecating
MD5 as we have done.
Hal Finney