Slashdot Mirror

← Back to Stories (view on slashdot.org)

More on Newly Broken SHA-1

Posted by CowboyNeal on from the all-hands-abandon-ship dept.

AnonymousStudent writes "Details are out about the reported broken SHA-1 hash function. The findings are that SHA-1 is not collision free and can be broken in 2^69 attempts instead of 2^80. This is about 2000 times faster. With todays computing power and Moores Law, a SHA-1 hash does not last too long. Using a modified DES Cracker, for the small sum of up to $38M, SHA-1 can be broken in 56 hours, with current computing power. In 18 months, the cost should go down by half. Jon Callas, PGP's CTO, put it best: 'It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off.' As Schneier suggests, 'It's time for us all to migrate away from SHA-1.' Alternatives include SHA-256 and SHA-512."

10 of 362 comments (clear)

  1. Break only affects carefully constructed messages by Sam+Ruby · · Score: 4, Informative

    The new SHA-1 break only affects very carefully constructed messages. This means that it is completely useless for an attacker impersonating an existing message, unless that message was purposely constructed to be attackable. The attack is only useful if the attacker creates both messages, and the attacker can choose the exact format of both messages.

    --
    - Sam Ruby
  2. Hmmm by Lisandro · · Score: 4, Informative

    The findings are that SHA-1 is not collision free and can be broken in 2^69 attempts instead of 2^80.

    Well, doh - it's a hash you silly, there will always be collisions.

    Anyway, it's nothing to panic about really. The ammount of computer power needed to crack it is still massive. Unless you're investigated by the NSA, SHA-1 will be fine for quite a while.

  3. Re:Collision free hash? by IWannaBeAnAC · · Score: 4, Informative

    It simply means that it is possible to find a collision without a brute-force scan of O(2^80) messages. Instead, because of weaknesses in the algorithm, it is only necessary to scan O(2^69) times.

  4. Re:This is big... by m50d · · Score: 4, Informative

    They already exist. RIPEMD-160 is tried and tested and seems secure, or at the more experimental stage there's Whirlpool.

    --
    I am trolling
  5. Re:Break only affects carefully constructed messag by arkhan_jg · · Score: 4, Informative

    Yes, but say someone creates a document (such as a contract) for you to digitally sign.

    If they're prepared to spend a realistic level of time on it they could create two of them that hash to the same thing, with a small but effective change to the second.

    You sign the first with SHA-1, but your signature also matches on the second, putting you in a weak position when you try and claim "I didn't sign _that_!"

    The time/money requirements to do this aren't really practical yet, but they will be soon.

    As the sub says, time to start shifting off SHA-1.

    --
    Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
  6. Re:Yet Another Overblown Crypto Hack by Anonymous Coward · · Score: 4, Informative

    The attack has nothing to do with trying to discover contents based on the hash, it has to do with generating intentional collisions.

    Attacks on hashes have absolutely nothing to do with discovering any kind of content, they have to do with the reliability of digital signatures, key exchange, data integrity, authentication etc.

    As for any kind of cryptography being sufficient...no, not really. Consider CSS...the encryption used on DVDs is no longer considered any kind of barrier to access.

    Similarly publicly visible hashes in password files on Unix systems haven't been considered secure for over 10 years, due to the simplicity and success rate of dictionary attacks (plus more recently, brute force is becoming increasingly easy).

  7. Follow-on work by fhmiv · · Score: 5, Informative

    The concern is not so much that the method described in this break is feasible on today's hardware, or even that this method will get cheaper and cheaper as hardware gets faster. The BIG concern is that this method provides insight in to the SHA-1 in general, and will be used by others to come up with more efficient breaks or more egregious flaws.

  8. Advice: use toolkits like SASL by ites · · Score: 4, Informative

    All crypto algorithms age, and even if the news of SHA-1's death is somewhat dramaticised by people who make their living from security work, it's important to see _all_ crypto algorithms as temporary shims.

    That is why anyone developing new protocols and products that rely on security should use SASL, which abstracts the crypto layers in such a way that it's easy to change them over time.

    SASL is an IETF standard and there are open source implementations like Cyrus.

    --
    Sig for sale or rent. One previous user. Inquire within.
  9. Re:Price by Uber+Banker · · Score: 4, Informative

    Apologies, $80k per problem.

  10. Re:Crypto custom... by Qzukk · · Score: 4, Informative
    SHA-1 isn't about keys, or keyspaces. This attack is about finding two messages that hash to the same SHA-1 hash.

    It takes roughly 56 hours to go from a message of
    Please transfer $1,000,000 from account 123456789 to account 987654321
    which hashes to 0xAABBCCDD11223344, to a message of
    Please transfer $1,000,000 from account 123456789 to account 555555555 Its a nice sunny day please pardon the line noise Ab29!jqMV3o$2__#%#992mx...w,ea@L@L
    whichh also hashes to 0xAABBCCDD11223344, which means that it would have an identical signature, meaning that the original signature would validate the fake message.

    Personally its not the huge end-of-the-world scenario everyone thinks it is. It would probably take tens of thousands of years for this machine to output a well-formatted message that had a hash collision and could not be trivially discarded as gibberish.
    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.