Re: SHA1 collisions proven possisble

On Wed, 01 Mar 2017 22:57:06 -0600, James DeVincentis via NANOG said: > - Google created a weak example. The difference in the document they > generated was a background color. They didn’t even go a full RGBA > difference. > They went from Red to Blue. That’s a difference of 4 bytes (R and B

Re: SHA1 collisions proven possisble

On Wed, Mar 1, 2017 at 10:57 PM, James DeVincentis via NANOG wrote: > Let me add some context to the discussion. > With specific regard to SSL certificates: "Are TLS/SSL certificates at risk? > Any Certification > Authority abiding by the CA/Browser Forum regulations is not

Re: SHA1 collisions proven possisble

On 3/1/2017 10:50 PM, James DeVincentis via NANOG wrote: Realistically any hash function *will* have collisions when two items are specifically crafted to collide after expending insane amounts of computing power, money, and… i wonder how much in power they burned for this little stunt. Easy

Re: SHA1 collisions proven possisble

On Wed, Mar 1, 2017 at 7:57 PM, James DeVincentis via NANOG wrote: [ reasonable analysis snipped :) ] > With all of these reasons all wrapped up. It clearly shows the level of hype > around this attack is the result of sensationalist articles and clickbait > titles. I have

Re: SHA1 collisions proven possisble

Let me add some context to the discussion. I run threat and vulnerability management for a large financial institution. This attack falls under our realm. We’ve had a plan in progress for several years to migrate away from SHA-1. We’ve been carefully watching the progression of the weakening

Re: SHA1 collisions proven possisble

I like the footnote they attached specifically for SHA1. "[3] Google spent 6500 CPU years and 110 GPU years to convince everyone we need to stop using SHA-1 for security critical applications. Also because it was cool." It’s also not preimage. This isn’t even a FIRST preimage attack. That

Re: SHA1 collisions proven possisble

On Thu, Mar 02, 2017 at 03:42:12AM +, Nick Hilliard wrote: > James DeVincentis via NANOG wrote: > > On top of that, the calculations they did were for a stupidly simple > > document modification in a type of document where hiding extraneous > > data is easy. This will get exponentially

Re: SHA1 collisions proven possisble

James DeVincentis via NANOG wrote: > On top of that, the calculations they did were for a stupidly simple > document modification in a type of document where hiding extraneous > data is easy. This will get exponentially computationally more > expensive the more data you want to mask. It took nine

Re: SHA1 collisions proven possisble

Keep in mind botnets that large are comprised largely of IoT devices which have very little processing power compared to the massive multi-core, high frequency, high memory bandwidth (this is especially important for cryptographic operations) CPUs in data centers. It doesn’t take much

Re: SHA1 collisions proven possisble

On Wed, 01 Mar 2017 15:28:23 -0600, "james.d--- via NANOG" said: > Those statistics are nowhere near real world for ROI. You'd have to invest > at least 7 figures (USD) in resources. So the return must be millions of > dollars before anyone can detect the attack. Except, it's already >

RE: SHA1 collisions proven possisble

easily detectable. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matt Palmer Sent: Wednesday, March 1, 2017 1:34 PM To: nanog@nanog.org Subject: Re: SHA1 collisions proven possisble On Tue, Feb 28, 2017 at 01:16:23PM -0600, James DeVincentis via NANOG wrote: > The

Re: SHA1 collisions proven possisble

On Tue, Feb 28, 2017 at 01:16:23PM -0600, James DeVincentis via NANOG wrote: > The CA signing the cert actually changes the fingerprint The what? RFC5280 does not contain the string "finger". > (and serial number, which is what is checked on revocation lists) The CA doesn't "change" the serial

Re: SHA1 collisions proven possisble

The CA signing the cert actually changes the fingerprint (and serial number, which is what is checked on revocation lists), so this is not a viable scenario. Beyond that, SHA1 signing of certificates has long been deprecated and no new public CAs will sign a CSR and cert with SHA1. > On Feb

Re: SHA1 collisions proven possisble

Once upon a time, valdis.kletni...@vt.edu said: > There's only 2 certs. You generate 2 certs with the same hash, and *then* get > the CA to sign one of them. The point is that the signed cert you get back from the CA will have a different hash, and the things that they

Re: SHA1 collisions proven possisble

On Mon, 27 Feb 2017 07:23:43 -0500, Jon Lewis said: > On Sun, 26 Feb 2017, Keith Medcalf wrote: > > > So you would need 6000 years of computer time to compute the collision > > on the SHA1 signature, and how much additional time to compute the > > trapdoor (private) key, in order for the cert to

RE: SHA1 collisions proven possisble

On Sun, 26 Feb 2017, Keith Medcalf wrote: So you would need 6000 years of computer time to compute the collision on the SHA1 signature, and how much additional time to compute the trapdoor (private) key, in order for the cert to be of any use? 1) Wasn't the 6000 years estimate from an

Re: SHA1 collisions proven possisble

On Mon, 27 Feb 2017 01:15:28 -0500, "Patrick W. Gilmore" said: > In the example above, the CA knows the SHA-1 hash of the cert it issued. (We > are assuming there is a CA which still does SHA-1.) How do you get that CA to > believe the two OTHER certs with DIFFERENT hashes you have to create so

Re: SHA1 collisions proven possisble

> 1. Create a certificate C[ert] for a single domain you control with hash h(c). > 2. Create a second certificate A[ttack] marked as a certificate >authority such that h(C) = h(A). > 3. Have a certificate authority sign cert C > 4. Present the signature for A along with A for whatever

Re: SHA1 collisions proven possisble

On Mon, Feb 27, 2017 at 01:15:28AM -0500, Patrick W. Gilmore wrote: > On Feb 26, 2017, at 21:16, Matt Palmer wrote: > > Even better: I want a CA cert. I convince a CA to issue me a regular, > > end-entity cert for `example.com` (which I control) in such a way that I can > >

Re: SHA1 collisions proven possisble

On 26 February 2017 at 22:15, Patrick W. Gilmore wrote: > Composed on a virtual keyboard, please forgive typos. > > On Feb 26, 2017, at 21:16, Matt Palmer wrote: >>> On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote: On Sun, Feb 26,

Re: SHA1 collisions proven possisble

Composed on a virtual keyboard, please forgive typos. On Feb 26, 2017, at 21:16, Matt Palmer wrote: >> On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote: >>> On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote: >>> I repeat something I've

Re: SHA1 collisions proven possisble

> Git prefixes blobs with its own data. You're not going to break git with a > SHA-1 binary collision. http://www.metzdowd.com/pipermail/cryptography/2017-February/031623.html

RE: SHA1 collisions proven possisble

On Sunday, 26 February, 2017 19:16 Matt Palmer said: > On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote: > > On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote: > > > I repeat something I've said a couple times in this thread: If I can > >

Re: SHA1 collisions proven possisble

On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote: > On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote: > > I repeat something I've said a couple times in this thread: If I can > > somehow create two docs with the same hash, and somehow con someone > > into using

Re: SHA1 collisions proven possisble

On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote: > > I repeat something I've said a couple times in this thread: If I can > somehow create two docs with the same hash, and somehow con someone > into using one of them, chances are there are bigger problems than a > SHA1 hash

Re: SHA1 collisions proven possisble

Patrick W. Gilmore wrote: > I repeat something I've said a couple times in this thread: If I can > somehow create two docs with the same hash, and somehow con someone > into using one of them, chances are there are bigger problems than a > SHA1 hash collision. This collision turns a theoretical

Re: SHA1 collisions proven possisble

On Feb 25, 2017, at 17:44, Jimmy Hess wrote: >> On Thu, Feb 23, 2017 at 2:03 PM, Patrick W. Gilmore >> wrote: >> >> For instance, someone cannot take Verisign’s root cert and create a cert >> which collides >> on SHA-1. Or at least we do not think they

Re: SHA1 collisions proven possisble

On Thu, Feb 23, 2017 at 2:03 PM, Patrick W. Gilmore wrote: > For instance, someone cannot take Verisign’s root cert and create a cert > which collides > on SHA-1. Or at least we do not think they can. We’ll know in 90 days when > Google releases the code. Maybe. If you

Re: SHA1 collisions proven possisble

On Sat, 25 Feb 2017 09:26:28 -0800, Richard Hesse said: > Git prefixes blobs with its own data. You're not going to break git with a > SHA-1 binary collision. However, svn is very vulnerable to breaking. And here's the proof-of-concept for svn breakage. Somebody managed to make the WebKit svn

Re: SHA1 collisions proven possisble

Git prefixes blobs with its own data. You're not going to break git with a SHA-1 binary collision. However, svn is very vulnerable to breaking. On Thu, Feb 23, 2017 at 3:11 PM, J. Hellenthal wrote: > It's actually pretty serious in Git and the banking markets where there

Re: SHA1 collisions proven possisble

On Feb 24, 2017, at 12:04 PM, Vincent Bernat wrote: > ❦ 23 février 2017 21:16 -0500, "Patrick W. Gilmore" : > >> A couple things will make this slightly less useful for the attacker: >> 1) How many people are not going to keep a copy? Once both docs are

Re: SHA1 collisions proven possisble

❦ 23 février 2017 21:16 -0500, "Patrick W. Gilmore"  : > A couple things will make this slightly less useful for the attacker: > 1) How many people are not going to keep a copy? Once both docs are be > found to have the same hash, well, game over. But if a

Re: SHA1 collisions proven possisble

❦ 23 février 2017 19:28 -0500, Jon Lewis  : >>> cost! However this in no way invalidates SHA-1 or documents signed by >>> SHA-1. >> >> We negotiate a contract with terms favorable to you. You sign it (or more >> correctly, sign the SHA-1 hash of the document). >> >> I then

Re: SHA1 collisions proven possisble

* valdis kletnieks: > We negotiate a contract with terms favorable to you. You sign it (or more > correctly, sign the SHA-1 hash of the document). > > I then take your signed copy, take out the contract, splice in a different > version with terms favorable to me. Since the hash didn't change,

Re: SHA1 collisions proven possisble

On 23 February 2017 at 20:59, Ca By wrote: > On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder > wrote: > > > Coworker passed this on to me. > > > > Looks like SHA1 hash collisions are now achievable in a reasonable time > > period > >

RE: SHA1 collisions proven possisble

.org Subject: Re: SHA1 collisions proven possisble On Thu, 23 Feb 2017 21:10:42 -0500, "Ricky Beam" said: > When you can do that in the timespan of weeks or days, get back to me. > Today, it takes years to calculate a collision, and you have to start > with a document spe

Re: SHA1 collisions proven possisble

> On Feb 23, 2017, at 6:10 PM, Ricky Beam wrote: > > When you can do that in the timespan of weeks or days, get back to me. Stop thinking in the context of bits of fake news on your phone. Start thinking in the context of trans-national agreements that will soon be signed

Re: SHA1 collisions proven possisble

On Thu, 23 Feb 2017 21:10:42 -0500, "Ricky Beam" said: > When you can do that in the timespan of weeks or days, get back to me. > Today, it takes years to calculate a collision, and you have to start with > a document specifically engineered to be modified. (such documents are > easily spotted

Re: SHA1 collisions proven possisble

On Feb 23, 2017, at 9:08 PM, valdis.kletni...@vt.edu wrote: > On Thu, 23 Feb 2017 20:56:28 -0500, "Patrick W. Gilmore" said: > >> According to the blog post, you can create two documents which have the same >> hash, but you do not know what that hash is until the algorithm finishes. You >> cannot

Re: SHA1 collisions proven possisble

On Thu, 23 Feb 2017 18:21:19 -0500, wrote: We negotiate a contract with terms favorable to you. You sign it (or more correctly, sign the SHA-1 hash of the document). ... When you can do that in the timespan of weeks or days, get back to me. Today, it takes years

Re: SHA1 collisions proven possisble

On Thu, 23 Feb 2017 20:56:28 -0500, "Patrick W. Gilmore" said: > According to the blog post, you can create two documents which have the same > hash, but you do not know what that hash is until the algorithm finishes. You > cannot create a document which matches a pre-existing hash, i.e. the one

Re: SHA1 collisions proven possisble

On Feb 23, 2017, at 6:21 PM, valdis.kletni...@vt.edu wrote: > On Thu, 23 Feb 2017 17:40:42 -0500, "Ricky Beam" said: > >> cost! However this in no way invalidates SHA-1 or documents signed by >> SHA-1. > > We negotiate a contract with terms favorable to you. You sign it (or more > correctly,

Re: SHA1 collisions proven possisble

On Thu, 23 Feb 2017 19:28:44 -0500, Jon Lewis said: > Doing it with an ASCII document, source code, or even something like a > Word document (containing only text and formatting), and having it not be > obvious upon inspection of the documents that the "imposter" document > contains some

Re: SHA1 collisions proven possisble

On Thu, 23 Feb 2017, valdis.kletni...@vt.edu wrote: On Thu, 23 Feb 2017 17:40:42 -0500, "Ricky Beam" said: cost! However this in no way invalidates SHA-1 or documents signed by SHA-1. We negotiate a contract with terms favorable to you. You sign it (or more correctly, sign the SHA-1 hash

Re: SHA1 collisions proven possisble

We just need to keep the likely timeline in mind. As I saw someone say on Twitter today ... "don't panic, just deprecate". Valeria Aurora's hash-lifecycle table is very informative (emphasis mine): http://valerieaurora.org/hash.html Reactions to stages in the life cycle of cryptographic hash

Re: SHA1 collisions proven possisble

On Thu, 23 Feb 2017 17:40:42 -0500, "Ricky Beam" said: > cost! However this in no way invalidates SHA-1 or documents signed by > SHA-1. We negotiate a contract with terms favorable to you. You sign it (or more correctly, sign the SHA-1 hash of the document). I then take your signed copy, take

Re: SHA1 collisions proven possisble

It's actually pretty serious in Git and the banking markets where there is high usage of sha1. Considering the wide adoption of Git, this is a pretty serious issue that will only become worse ten-fold over the years. Visible abuse will not be near as widely seen as the initial shattering but

Re: SHA1 collisions proven possisble

On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore wrote: More seriously: The attack (or at least as much as we can glean from the blog post) cannot find a collision (file with same hash) from an arbitrary file. The attack creates two files which have the same hash,

Re: SHA1 collisions proven possisble

On Thu, 23 Feb 2017 15:03:34 -0500, "Patrick W. Gilmore" said: > For instance, someone cannot take Verisign’s root cert and create a cert > which collides on SHA-1. Or at least we do not think they can. We’ll know > in 90 > days when Google releases the code. >From the announce: "It is now

Re: SHA1 collisions proven possisble

On Feb 23, 2017, at 2:59 PM, Ca By wrote: > On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder wrote: > >> Coworker passed this on to me. >> >> Looks like SHA1 hash collisions are now achievable in a reasonable time >> period >> https://shattered.io/ >>

Re: SHA1 collisions proven possisble

On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder wrote: > Coworker passed this on to me. > > Looks like SHA1 hash collisions are now achievable in a reasonable time > period > https://shattered.io/ > > -Grant Good thing we "secure" our routing protocols with MD5 :) >

SHA1 collisions proven possisble

Coworker passed this on to me. Looks like SHA1 hash collisions are now achievable in a reasonable time period https://shattered.io/ -Grant