[QUOTE]Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.
For the tech community, our findings emphasize the necessity of sunsetting SHA-1 usage. Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. As early as 2014, the Chrome team announced that they would gradually phase out using SHA-1. We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure.
We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256.[/QUOTE]
[url=https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html]Source[/url]
[url]https://shattered.it/[/url]
[quote]Who is capable of mounting this attack?
This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations.[/quote]
Fucking hell
[QUOTE=TheJoker;51864171]Fucking hell[/QUOTE]
That could be around $15 mil in gpus. It's possible for a state actor too.
[QUOTE=TheJoker;51864171][QUOTE]Who is capable of mounting this attack?This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations.
[/QUOTE]
Fucking hell[/QUOTE]
[QUOTE=m3ta] To put things into perspective, let the Bitcoin network hashrate (double SHA256 per second) = B and the number of SHA1 hashes calculated in shattered = G.
B = 3,116,899,000,000,000,000
G = 9,223,372,036,854,775,808
[/QUOTE]
From the post on HackerNews.
So if the entire Bitcoin network had the goal of breaking SHA-1, it would find a collision [B]once every 3 seconds[/B].
I highly recommend playing around with [URL]https://anders.com/blockchain/[/URL] if you want to become more familiar with SHA hashing and how it relates to the Bitcoin blockchain
[editline]23rd February 2017[/editline]
[QUOTE=lisper]This point seems to be getting re-hashed (no pun intended) a lot, so here's a quick summary: there are three kinds of attacks on cryptographic hashes: collision attacks, second-preimage attacks, and first-preimage attacks.
[B]Collision attack[/B]: find two documents with the same hash. That's what was done here.
[B]Second-preimage attack[/B]: given a document, find a second document with the same hash.
[B]First-preimage attack[/B]: given an arbitrary hash, find a document with that hash.
These are in order of increasing severity. A collision attack is the least severe, but it's still very serious. You can't use a collision to compromise existing certificates, but you can use them to compromise future certificates because you can get a signature on one document that is also valid for a different document. Collision attacks are also stepping stones to pre-image attacks.
[/QUOTE]
Another interesting comment on the HN post
Hum, what the fuck does it all mean in layment term?
[QUOTE=DEMONSKUL;51864815]Hum, what the fuck does it all mean in layment term?[/QUOTE]
Basically it's an antiquated hashing algorithm. So don't use it. Use something like SHA256 or greater. But in all honesty, if you don't understand it as is, you're likely not going to be affected by anything coming from this. At least in a way that you can directly control.
This is basically just the first warning sign that SHA1 is showing its age.
[QUOTE=DEMONSKUL;51864815]Hum, what the fuck does it all mean in layment term?[/QUOTE]
I could be wrong, but I think SHA1 is basically a number generator used as some sort of defense against cryptography? The NSA developed it as far as I'm concerned.
Huh.
[QUOTE=Ax3l;51864853]I could be wrong, but I think SHA1 is basically a number generator used as some sort of defense against cryptography? The NSA developed it as far as I'm concerned.[/QUOTE]
SHA1 is a hash function. You run arbitrary data (such as the contents of a file) through the hash function and it spits out a number of a set length. The same data will always produce the same number (I.E it's not random), but it's practically impossible to determine based on the hash number alone what the original data was due to how much computation power it would require.
This is useful in all situations where you want to verify that some data is genuine/correct (such as passwords/keys). Just run it through the hash function and see if it spits out the correct hash number.
You could always theoretically "defeat" system relying on SHA1 by just guessing the correct data to provide to provide to the hashing function to produce a matching hash number (brute force), but the sheer number of possibilities made this unfeasible. Except now some people have found a way to produce data to match specific hash values by methods that are a LOT better than brute force. Not easy by any means, but it highlights the need to switch over to hashing functions that are more secure.
A hashing algorithm assigns any object you feed it a unique number with constant length (called a hash). You can think of it as a finger print, which programs can use to verify a file or signature. A common example are passwords, they are usually never saved in plaintext, but rather as a hash, to avoid your plaintext password being at the risk of being stolen. When you login somewhere, instead of comparing your password directly, it generates the hash again, and checks if it's the same it generated when you created your password.
This attack makes it possible to find a second object, that will generate the same hash, which allows to trick alot of security and cryptography protocols into thinking they are dealing with a legitimate object.
edit: n-n-n-ninjad
must be all that Google Chrome / apps and Android cycles which went missing in action ;)
[QUOTE=DEMONSKUL;51864815]Hum, what the fuck does it all mean in layment term?[/QUOTE]
Practical example: Someone posts a program to a 3rd party site and says "The SHA1 hash is X", so when you download it you can calculate the hash yourself and see that it matches (and hasn't been tampered with by the 3rd party, any changes produce a different hash)
These guys have shown 2 files with the same hash, so it's possible for the file you uploaded to be something completely different, making the security of that SHA1 hash useless
Found an interesting post from 2012 of what would happen to git if your repository had 2 identical sha-1 blobs [URL]https://stackoverflow.com/questions/9392365/how-would-git-handle-a-sha-1-collision-on-a-blob/34599081#34599081[/URL]
Rest in peace all Database admins.
[QUOTE=Greenen72;51865956]Practical example: Someone posts a program to a 3rd party site and says "The SHA1 hash is X", so when you download it you can calculate the hash yourself and see that it matches (and hasn't been tampered with by the 3rd party, any changes produce a different hash)
These guys have shown 2 files with the same hash, so it's possible for the file you uploaded to be something completely different, making the security of that SHA1 hash useless[/QUOTE]
Not exactly. This is still just a collision, not a preimage attack. They need to have control over both documents in order to come up with a collision. If [i]you[/i] say that the hash of your file is X, [i]they[/i] cannot generate another file with the same hash. What they can do is generate two different documents with different data but the same hash.
[QUOTE=Obama Yo Momma;51866765]Rest in peace all Database admins.[/QUOTE]
Any DBAs who have been actively using SHA-1 up to this point likely RIP'd a while ago. The push for improved algos has been going on for some time. This news isn't a shock to anyone, it's just the first time we have seen it confirmed in practice.
PBKDF2, which uses SHA-1, is still the de facto key derivation standard absolutely everywhere. Including WPA2 and many operating systems.
Still it's just key derivation, once key has been derived it stay same?
Sorry, you need to Log In to post a reply to this thread.