Follow

We have computed the very first chosen-prefix collision for SHA-1. To put it in another way: all attacks that are practical on MD5 are now also practical on SHA-1.

We have reduced the cost of a collision attack from 2^64.7 to 2^61.2, and the cost of a chosen-prefix collision attack from 2^67.1 to 2^63.4.

Demo: The legacy branch of GnuPG (version 1.4) is vulnerable. We have created two PGP keys with different UserIDs and colliding certificates.

sha-mbles.github.io/

@niconiconi
I'm confused. It says this is the first ever chosen prefix collision attack, but also that the performance improvement is only a factor of 10; that is a big improvement, but not big enough to consider something to be in shambles when it wasn't before. Or am I just unaware that SHA-1 is already considered rather insecure.

@philipwhite
You're unaware. Sha 1 has been considered "not safe future use" for some time now.
@niconiconi

@ScriptFanix @philipwhite SHA-1 is considered academically problematic since 2005 (security claim reduced from 2^80 to 2^69), with better and better attacks coming out every year. schneier.com/blog/archives/200

In the ideal world, SHA-1 should've been long retired. Bruce Schneier was arguing for its retirement since 2004... schneier.com/essays/archives/2

@niconiconi @ScriptFanix @philipwhite "should have been retired long ago". A lot of times the weaker algorithms are simply being used to detect transfer errors or benign accidental changes instead of malicious intent. Heck, it took me a decade to get the company I work at to move away from identifying file revisions by timestamps.

@niconiconi does this provide a simultaneous collision with SHA1 and MD5?

@niconiconi Well that isn't completely terrifying or anything.

Sign in to participate in the conversation
Cybrespace

Cybrespace is an instance of Mastodon, a social network based on open web protocols and free, open-source software. It is decentralized like e-mail.