On Wed, 01 Mar 2017 22:57:06 -0600, James DeVincentis via NANOG said:
> - Google created a weak example. The difference in the document they
> generated was a background color. They didnât even go a full RGBA
> difference.
> They went from Red to Blue. Thatâs a difference of 4 bytes (R and B
On Wed, Mar 1, 2017 at 10:57 PM, James DeVincentis via NANOG
wrote:
> Let me add some context to the discussion.
> With specific regard to SSL certificates: "Are TLS/SSL certificates at risk?
> Any Certification
> Authority abiding by the CA/Browser Forum regulations is not
On 3/1/2017 10:50 PM, James DeVincentis via NANOG wrote:
Realistically any hash function *will* have collisions when two items are
specifically crafted to collide after expending insane amounts of computing
power, money, and… i wonder how much in power they burned for this little stunt.
Easy
On Wed, Mar 1, 2017 at 7:57 PM, James DeVincentis via NANOG
wrote:
[ reasonable analysis snipped :) ]
> With all of these reasons all wrapped up. It clearly shows the level of hype
> around this attack is the result of sensationalist articles and clickbait
> titles.
I have
Let me add some context to the discussion.
I run threat and vulnerability management for a large financial institution.
This attack falls under our realm. We’ve had a plan in progress for several
years to migrate away from SHA-1. We’ve been carefully watching the progression
of the weakening
I like the footnote they attached specifically for SHA1.
"[3] Google spent 6500 CPU years and 110 GPU years to convince everyone we need
to stop using SHA-1 for security critical applications. Also because it was
cool."
It’s also not preimage. This isn’t even a FIRST preimage attack. That
On Thu, Mar 02, 2017 at 03:42:12AM +, Nick Hilliard wrote:
> James DeVincentis via NANOG wrote:
> > On top of that, the calculations they did were for a stupidly simple
> > document modification in a type of document where hiding extraneous
> > data is easy. This will get exponentially
James DeVincentis via NANOG wrote:
> On top of that, the calculations they did were for a stupidly simple
> document modification in a type of document where hiding extraneous
> data is easy. This will get exponentially computationally more
> expensive the more data you want to mask. It took nine
Keep in mind botnets that large are comprised largely of IoT devices which have
very little processing power compared to the massive multi-core, high
frequency, high memory bandwidth (this is especially important for
cryptographic operations) CPUs in data centers. It doesn’t take much
On Wed, 01 Mar 2017 15:28:23 -0600, "james.d--- via NANOG" said:
> Those statistics are nowhere near real world for ROI. You'd have to invest
> at least 7 figures (USD) in resources. So the return must be millions of
> dollars before anyone can detect the attack. Except, it's already
>
easily detectable.
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matt Palmer
Sent: Wednesday, March 1, 2017 1:34 PM
To: nanog@nanog.org
Subject: Re: SHA1 collisions proven possisble
On Tue, Feb 28, 2017 at 01:16:23PM -0600, James DeVincentis via NANOG wrote:
> The
On Tue, Feb 28, 2017 at 01:16:23PM -0600, James DeVincentis via NANOG wrote:
> The CA signing the cert actually changes the fingerprint
The what? RFC5280 does not contain the string "finger".
> (and serial number, which is what is checked on revocation lists)
The CA doesn't "change" the serial
The CA signing the cert actually changes the fingerprint (and serial number,
which is what is checked on revocation lists), so this is not a viable
scenario. Beyond that, SHA1 signing of certificates has long been deprecated
and no new public CAs will sign a CSR and cert with SHA1.
> On Feb
Once upon a time, valdis.kletni...@vt.edu said:
> There's only 2 certs. You generate 2 certs with the same hash, and *then* get
> the CA to sign one of them.
The point is that the signed cert you get back from the CA will have a
different hash, and the things that they
On Mon, 27 Feb 2017 07:23:43 -0500, Jon Lewis said:
> On Sun, 26 Feb 2017, Keith Medcalf wrote:
>
> > So you would need 6000 years of computer time to compute the collision
> > on the SHA1 signature, and how much additional time to compute the
> > trapdoor (private) key, in order for the cert to
On Sun, 26 Feb 2017, Keith Medcalf wrote:
So you would need 6000 years of computer time to compute the collision
on the SHA1 signature, and how much additional time to compute the
trapdoor (private) key, in order for the cert to be of any use?
1) Wasn't the 6000 years estimate from an
On Mon, 27 Feb 2017 01:15:28 -0500, "Patrick W. Gilmore" said:
> In the example above, the CA knows the SHA-1 hash of the cert it issued. (We
> are assuming there is a CA which still does SHA-1.) How do you get that CA to
> believe the two OTHER certs with DIFFERENT hashes you have to create so
> 1. Create a certificate C[ert] for a single domain you control with hash h(c).
> 2. Create a second certificate A[ttack] marked as a certificate
>authority such that h(C) = h(A).
> 3. Have a certificate authority sign cert C
> 4. Present the signature for A along with A for whatever
On Mon, Feb 27, 2017 at 01:15:28AM -0500, Patrick W. Gilmore wrote:
> On Feb 26, 2017, at 21:16, Matt Palmer wrote:
> > Even better: I want a CA cert. I convince a CA to issue me a regular,
> > end-entity cert for `example.com` (which I control) in such a way that I can
> >
On 26 February 2017 at 22:15, Patrick W. Gilmore wrote:
> Composed on a virtual keyboard, please forgive typos.
>
> On Feb 26, 2017, at 21:16, Matt Palmer wrote:
>>> On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
On Sun, Feb 26,
Composed on a virtual keyboard, please forgive typos.
On Feb 26, 2017, at 21:16, Matt Palmer wrote:
>> On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
>>> On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
>>> I repeat something I've
> Git prefixes blobs with its own data. You're not going to break git with a
> SHA-1 binary collision.
http://www.metzdowd.com/pipermail/cryptography/2017-February/031623.html
On Sunday, 26 February, 2017 19:16 Matt Palmer said:
> On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
> > On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
> > > I repeat something I've said a couple times in this thread: If I can
> >
On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
> On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
> > I repeat something I've said a couple times in this thread: If I can
> > somehow create two docs with the same hash, and somehow con someone
> > into using
On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
>
> I repeat something I've said a couple times in this thread: If I can
> somehow create two docs with the same hash, and somehow con someone
> into using one of them, chances are there are bigger problems than a
> SHA1 hash
Patrick W. Gilmore wrote:
> I repeat something I've said a couple times in this thread: If I can
> somehow create two docs with the same hash, and somehow con someone
> into using one of them, chances are there are bigger problems than a
> SHA1 hash collision.
This collision turns a theoretical
On Feb 25, 2017, at 17:44, Jimmy Hess wrote:
>> On Thu, Feb 23, 2017 at 2:03 PM, Patrick W. Gilmore
>> wrote:
>>
>> For instance, someone cannot take Verisign’s root cert and create a cert
>> which collides
>> on SHA-1. Or at least we do not think they
On Thu, Feb 23, 2017 at 2:03 PM, Patrick W. Gilmore wrote:
> For instance, someone cannot take Verisign’s root cert and create a cert
> which collides
> on SHA-1. Or at least we do not think they can. We’ll know in 90 days when
> Google releases the code.
Maybe. If you
On Sat, 25 Feb 2017 09:26:28 -0800, Richard Hesse said:
> Git prefixes blobs with its own data. You're not going to break git with a
> SHA-1 binary collision. However, svn is very vulnerable to breaking.
And here's the proof-of-concept for svn breakage. Somebody managed to
make the WebKit svn
Git prefixes blobs with its own data. You're not going to break git with a
SHA-1 binary collision. However, svn is very vulnerable to breaking.
On Thu, Feb 23, 2017 at 3:11 PM, J. Hellenthal
wrote:
> It's actually pretty serious in Git and the banking markets where there
On Feb 24, 2017, at 12:04 PM, Vincent Bernat wrote:
> ❦ 23 février 2017 21:16 -0500, "Patrick W. Gilmore" :
>
>> A couple things will make this slightly less useful for the attacker:
>> 1) How many people are not going to keep a copy? Once both docs are
❦ 23 février 2017 21:16 -0500, "Patrick W. Gilmore" :
> A couple things will make this slightly less useful for the attacker:
> 1) How many people are not going to keep a copy? Once both docs are be
> found to have the same hash, well, game over.
But if a
❦ 23 février 2017 19:28 -0500, Jon Lewis :
>>> cost! However this in no way invalidates SHA-1 or documents signed by
>>> SHA-1.
>>
>> We negotiate a contract with terms favorable to you. You sign it (or more
>> correctly, sign the SHA-1 hash of the document).
>>
>> I then
* valdis kletnieks:
> We negotiate a contract with terms favorable to you. You sign it (or more
> correctly, sign the SHA-1 hash of the document).
>
> I then take your signed copy, take out the contract, splice in a different
> version with terms favorable to me. Since the hash didn't change,
On 23 February 2017 at 20:59, Ca By wrote:
> On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder
> wrote:
>
> > Coworker passed this on to me.
> >
> > Looks like SHA1 hash collisions are now achievable in a reasonable time
> > period
> >
.org
Subject: Re: SHA1 collisions proven possisble
On Thu, 23 Feb 2017 21:10:42 -0500, "Ricky Beam" said:
> When you can do that in the timespan of weeks or days, get back to me.
> Today, it takes years to calculate a collision, and you have to start
> with a document spe
> On Feb 23, 2017, at 6:10 PM, Ricky Beam wrote:
>
> When you can do that in the timespan of weeks or days, get back to me.
Stop thinking in the context of bits of fake news on your phone. Start
thinking in the context of trans-national agreements that will soon be signed
On Thu, 23 Feb 2017 21:10:42 -0500, "Ricky Beam" said:
> When you can do that in the timespan of weeks or days, get back to me.
> Today, it takes years to calculate a collision, and you have to start with
> a document specifically engineered to be modified. (such documents are
> easily spotted
On Feb 23, 2017, at 9:08 PM, valdis.kletni...@vt.edu wrote:
> On Thu, 23 Feb 2017 20:56:28 -0500, "Patrick W. Gilmore" said:
>
>> According to the blog post, you can create two documents which have the same
>> hash, but you do not know what that hash is until the algorithm finishes. You
>> cannot
On Thu, 23 Feb 2017 18:21:19 -0500, wrote:
We negotiate a contract with terms favorable to you. You sign it (or
more correctly, sign the SHA-1 hash of the document).
...
When you can do that in the timespan of weeks or days, get back to me.
Today, it takes years
On Thu, 23 Feb 2017 20:56:28 -0500, "Patrick W. Gilmore" said:
> According to the blog post, you can create two documents which have the same
> hash, but you do not know what that hash is until the algorithm finishes. You
> cannot create a document which matches a pre-existing hash, i.e. the one
On Feb 23, 2017, at 6:21 PM, valdis.kletni...@vt.edu wrote:
> On Thu, 23 Feb 2017 17:40:42 -0500, "Ricky Beam" said:
>
>> cost! However this in no way invalidates SHA-1 or documents signed by
>> SHA-1.
>
> We negotiate a contract with terms favorable to you. You sign it (or more
> correctly,
On Thu, 23 Feb 2017 19:28:44 -0500, Jon Lewis said:
> Doing it with an ASCII document, source code, or even something like a
> Word document (containing only text and formatting), and having it not be
> obvious upon inspection of the documents that the "imposter" document
> contains some
On Thu, 23 Feb 2017, valdis.kletni...@vt.edu wrote:
On Thu, 23 Feb 2017 17:40:42 -0500, "Ricky Beam" said:
cost! However this in no way invalidates SHA-1 or documents signed by
SHA-1.
We negotiate a contract with terms favorable to you. You sign it (or more
correctly, sign the SHA-1 hash
We just need to keep the likely timeline in mind.
As I saw someone say on Twitter today ... "don't panic, just deprecate".
Valeria Aurora's hash-lifecycle table is very informative (emphasis mine):
http://valerieaurora.org/hash.html
Reactions to stages in the life cycle of cryptographic hash
On Thu, 23 Feb 2017 17:40:42 -0500, "Ricky Beam" said:
> cost! However this in no way invalidates SHA-1 or documents signed by
> SHA-1.
We negotiate a contract with terms favorable to you. You sign it (or more
correctly, sign the SHA-1 hash of the document).
I then take your signed copy, take
It's actually pretty serious in Git and the banking markets where there is high
usage of sha1. Considering the wide adoption of Git, this is a pretty serious
issue that will only become worse ten-fold over the years. Visible abuse will
not be near as widely seen as the initial shattering but
On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore
wrote:
More seriously: The attack (or at least as much as we can glean from the
blog post) cannot find a collision (file with same hash) from an
arbitrary file. The attack creates two files which have the same hash,
On Thu, 23 Feb 2017 15:03:34 -0500, "Patrick W. Gilmore" said:
> For instance, someone cannot take Verisignâs root cert and create a cert
> which collides on SHA-1. Or at least we do not think they can. Weâll know
> in 90
> days when Google releases the code.
>From the announce:
"It is now
On Feb 23, 2017, at 2:59 PM, Ca By wrote:
> On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder wrote:
>
>> Coworker passed this on to me.
>>
>> Looks like SHA1 hash collisions are now achievable in a reasonable time
>> period
>> https://shattered.io/
>>
On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder
wrote:
> Coworker passed this on to me.
>
> Looks like SHA1 hash collisions are now achievable in a reasonable time
> period
> https://shattered.io/
>
> -Grant
Good thing we "secure" our routing protocols with MD5
:)
>
Coworker passed this on to me.
Looks like SHA1 hash collisions are now achievable in a reasonable time
period
https://shattered.io/
-Grant
52 matches
Mail list logo