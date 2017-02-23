Google Has Demonstrated a Successful Practical Attack Against SHA-1 (googleblog.com) 22
Reader Artem Tashkinov writes: Ten years after of SHA-1 was first introduced, Google has announced the first practical technique for generating an SHA-1 collision. It required two years of research between the CWI Institute in Amsterdam and Google. As a proof of the attack, Google has released two PDF files that have identical SHA-1 hashes but different content. The amount of computations required to carry out the attack is staggering: nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total which took 6,500 years of CPU computation to complete the attack first phase and 110 years of GPU computation to complete the second phase.
Google says that people should migrate to newer hashing algorithms like SHA-256 and SHA-3, however it's worth noting that there are currently no ways of finding a collision for both MD5 and SHA-1 hashes simultaneously which means that we still can use old proven hardware accelerated hash functions to be on the safe side.
Google says that people should migrate to newer hashing algorithms like SHA-256 and SHA-3, however it's worth noting that there are currently no ways of finding a collision for both MD5 and SHA-1 hashes simultaneously which means that we still can use old proven hardware accelerated hash functions to be on the safe side.
Re:Practical? (Score:5, Interesting)
It is all about cost-benefit. CPU speeds continue to get faster, and renting CPU time on cloud providers become cheaper and cheaper.
Why is this significant? There are still major certificate authorities out there with intermediate certificates using SHA-1. Find a collision for these certificates, and you essentially become a new intermediate certificate authority with the ability to issue domain certs for basically anything you want and they'll validate in browsers.
Now thing of government agencies or crime syndicates that could afford the CPU/GPU time to do this. It is a highly practical attack vector now.
Re: (Score:2)
Well, what exactly a time unit of CPU computation means isn't defined (it's like saying "This item cost me 500 monetary units", there's no context), but if we just take it to mean a literal amount of time on any random CPU...
6,500 years of CPU time potentially costs as little as ~$171k USD at Amazon, and compute costs are continuously falling.
Re: (Score:2)
Well, what exactly a time unit of CPU computation means isn't defined (it's like saying "This item cost me 500 monetary units", there's no context), but if we just take it to mean a literal amount of time on any random CPU...
6,500 years of CPU time potentially costs as little as ~$171k USD at Amazon, and compute costs are continuously falling.
how did you come up with that price?
Spot pricing on a 36CPU c4.8xl is currently $0.46/hour.
6500 years in hours / 36 * $0.46/hour [wolframalpha.com] is $728K
Spot pricing may go lower from time to time, but on-demand pricing for the c4.8xl is $1.80hour, so $0.46 is already a significant discount. The upcoming c5 series should help with pricing.
Re: (Score:2)
They have an alternative use of the word practical.
Re: (Score:3)
If Google can do that, NSA can surely do that - maybe not right now but quite soon.
Also don't underestimate various botnets - right now they are mostly used for spamming/DDOS'ing/crypto currency mining (which in itself is
... hashing) but they can be used for finding collisions in SHA-1 as well.
Also don't forget that "practical" in this case means that an attack can be carried out using currently existing availble computational resources, vs. something purely theoretical which requires billions of CPUs/
Re: (Score:2)
Accelerate SHA-1 hashes to nearly the speed of light and then collide them. Capture all of the bits that come flying out to understand what is inside.
What should happen and what will happen (Score:3)
For variable values of "practical" and "relevant" (Score:2)
The thing is that there is not actually a lot you can do with an SHA1 hash collision. Sure, you may be able to impersonate a site by use of a fake certificate. But these are around anyways because of CAs with shoddy security and governments that do not understand the value of security and just coerce CAs in giving them out. So an SHA1 collision is actually a bit of overkill for that and likely the most expensive option by a large margin. So what else is left? I do not see anything.
Sure, if this was somethin
Are two hashes better than one? (Score:4, Interesting)
Any crypto geeks want to weigh in on the truth of this statement? I've often wondered about this. Wouldn't using two hash algorithms be easier and more effective over the long term than getting the whole world to upgrade to the Latest And Greatest Hash every ~10 years?
Re: (Score:2)
Perhaps I was completely wrong [sans.edu] - skip to the Mysid's comment. My sincere apologies then. But this explanation just doesn't work/compute in my head - even today finding MD5 collisions is extremely computationally expensive, yet the person says SHA1 + MD5 is only slightly more computationally expensive.
Let's put it in layman's terms: let's say your cluster made of a thousand GPUs finds MD5 collisions for given data every second. Now finding an SHA1 collision in Google's case required 9,223,372,036,854,775,8
Re: (Score:2)
Re: (Score:2)
True! As for me I usually run downloaded PDFs though virustotal.com and then all scripting features in my Acrobat Reader are completely disabled.
Speaking of ISO's: most Ubuntu mirrors (and their official servers as well) distribute Ubuntu ISO's via
... HTTP and FTP. That's so "lovely" considering that any ISP can easily replace your HTTP traffic. Yes, they have PGP signatures but 99% of people out there have no idea how to verify them. And those PGP signatures are distributed from the same ... insecure ch
Practical (Score:2)
SHA-1 has only been around for 10 years? (Score:1)
I know this isn't the primary point of the announcement, but does anyone know where the authors get 10 years from, as included in this statement: "Today, 10 years after of SHA-1 was first introduced..."? Best I can tell, SHA-1 was formally defined in 1995 (FIPS PUB 180-1), and I'm pretty certain it was in common widespread use long before 2007. Are they referring to the first time it was introduced into one of their own products or something? or I'm I missing something obvious?