Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Encryption Privacy

Academics Improve SHA-1 Collision Attack, Make It Actually Dangerous (zdnet.com) 69

An anonymous reader writes: "Attacks on the SHA-1 hashing algorithm just got a lot more dangerous last week with the discovery of the first-ever 'chosen-prefix collision attack,' a more practical version of the SHA-1 collision attack first carried out by Google two years ago," reports ZDNet. Google's original research allowed attackers to force duplicates for specific files, but this process was often at random. A new SHA-1 collision attack variation (a chosen-prefix attack) detailed last week allows attackers to choose what SHA-1-signed files or data streams they want to forge on demand, making SHA-1 an attack that is now practical in the real world, albeit at a price tag of $100,000 per collision.
This discussion has been archived. No new comments can be posted.

Academics Improve SHA-1 Collision Attack, Make It Actually Dangerous

Comments Filter:
  • by Anonymous Coward

    They always seem to be up to nefarious machinations.

  • by Hizonner ( 38491 ) on Monday May 13, 2019 @10:22PM (#58587788)

    People are going to be obsessing over TLS and dedicated crypto format problems that are already mostly fixed, but the real problem is that Git uses SHA-1 for everything, not just signatures but any kind of unique commit identification. You can't just recompute all those hashes, and if there's a migration plan it can't be very far along. And a Git commit is a long-lived object, so you have plenty of time to find your collision.

    Like the software supply chain wasn't already enough of a problem...

    • by Anonymous Coward

      https://github.com/git/git/blob/master/Documentation/technical/hash-function-transition.txt

    • by hankwang ( 413283 ) on Tuesday May 14, 2019 @12:38AM (#58588140) Homepage

      Linus Torvalds didn't see it as a big problem in the previous collision demonstration. Summary here: https://www.theregister.co.uk/... [theregister.co.uk] (it links to the mailing list).

      Just producing a collision with an existing git object is not enough. It also needs to have valid git headers and be compileable. And if you succeed in that, git, during a fetch/pull, will not overwrite a commit that already exists with the same hash. The attacker would need to corrupt all cloned repositories as well.

      • P.S. I misremembered what I read in the mailing list discussion. Here is a discussion on Git's behavior. I think (not sure) that later Git versions were hardened.

        https://stackoverflow.com/ques... [stackoverflow.com]

      • by Hizonner ( 38491 )

        Just producing a collision with an existing git object is not enough. It also needs to have valid git headers and be compileable.

        People usually think stuff like that will be hard to do. It's usually not actually hard in practice.

        And if you succeed in that, git, during a fetch/pull, will not overwrite a commit that already exists with the same hash.

        And what if you clone my already corrupted repo, and rely on checking out a specific hash? What if you trust a signature that's on a commit in the repo you got fr

      • by sjames ( 1099 )

        It also needs to have valid git headers and be compileable.

        That was a good reason why the previous weakening wasn't an immediate problem. It could produce 2 files with the same hash, but it couldn't modify a given file to have an arbitrary hash. The colliding file was highly unlikely to resemble source code.

        This is MUCH closer to an attack where you modify the source as desired, and stick an arbitrary comment in at the bottom that makes the SHA1 come out the same as the original version. Of course, the compiler doesn't care what is in the comment.

    • most of the problems are with Certificate authorities

      who signs the software and connections that you run on 90% of the worlds machines ?

      people who depend on CA's and think TLS 1.3 is going to save them... look to your jurisdiction, the law is going to catch up...

       

      • by Hizonner ( 38491 )

        Public CAs switched to SHA256 a long time ago. There are almost no SHA-1 certs in the wild any more. That's what I mean whn

    • I'm Marc Stevens, realhashbreaker. Git is actually safe from this chosen-prefix collision attack on SHA-1 as explained on the github blog: https://github.blog/2017-03-20... [github.blog]
      Git is in a transition to a more secure hash function (sha-2-256), but for now it has replaced plain SHA-1 by a hardened SHA-1 using the sha1collisiondetection library (https://github.com/cr-marcstevens/sha1collisiondetection).
      Our hardened SHA-1 (https://github.com/cr-marcstevens/sha1collisiondetection) directly protects against all S
  • BitTorrent uses SHA-1 to validate the integrity of each chunk of downloaded data.

    If finding chosen SHA-1 collisions becomes cheap, then it becomes possible for a malicious peer to inject malware into data it uploads, while still having it be recognised by downloader as valid according to the .torrent file. We're still a long way from there, but that's the risk.

  • by realhashbreaker ( 5976824 ) on Tuesday May 14, 2019 @04:56AM (#58588620)
    I'm Marc Stevens, realhashbreaker, one of the lead researchers that introduced the first chosen-prefix collision attack for MD5 as well as for SHA-1, and found the first practical SHA-1 collision. Here's my take:

    1. Our SHAttered research (CRYPTO2017) demonstrated the first, and still only, SHA-1 collision. It is directly based on my 2^61-cost attack in EUROCRYPT2013. Besides other improvements SHAttered used GPUs at higher cost (2^64.7) but at much greater effectivity, making it practical.

    2. This research is only an improvement for a more difficult and costlier collision attack for 'chosen-prefix collisions'. The first chosen-prefix collision attack on SHA-1, see my EUROCRYPT2013 paper, costs 2^77 SHA-1 calls which they improve to 2^66.9 SHA-1 calls in theory, it has not been executed yet.

    3. This new research paper directly recycles almost the entire SHAttered collision attack, except, as is usual, it modifies the first and last few steps to turn the 'identical-prefix collision' into a 'chosen-prefix collison' and uses an improved strategy for the sequence of 'near-collision attacks'.

    4. Using similar analysis in previous papers on the cost of SHA-1 collision attacks, their attack would cost 2^2.2 more than SHAttered, so 2^2.2 x $110K = about $500K.

    5. Their claim of less than $100K is based on as-of-yet undisclosed improvements, and has not stand up to peer review yet. I am very sceptical that they can claim a cost lower than the SHAttered attack on which they rely on (see below). Historically, there have been quite a few erroneous claims of new low complexities to break SHA-1, and these have not stand up to academic peer-review.

    • by ledow ( 319597 )

      Doesn't matter.

      All of that is academic. SHA-1 is broken, and getting more broken, that's all we need to know. As soon as it costs $numbered_amount to break a hash, it's useless and needs to be retired. Quite what that amount is is really just trivia - that cost will drop dramatically on optimisation, dramatically over time, and can be subsumed by anyone with an interest in breaking the hash with sufficient amount of equipment already (though it might "cost" $500k to break the hash, if you have a $1bn wor

    • Your putting dollar values on breaking ability is hilarious and pointless.

      A low end IBM 1620 cost $700,000 in today's money, but a $5 SOC has way more memory and power

      • It is actually not pointless: by comparing these costs we can evaluate whether there is an improved attack.
        What I'm saying here is that we already showed a $110k sha1 attack in 2015, and that this claim of $100k is actually not substantiated. Moreover, their current attack directly recycles the $110k and does *more* work, so in any metric it should always cost more than our attack.
        Lastly, there is your point of cost effectiveness. This we already showed is optimized using GPUs. GPUs provide the most com
        • the prices of compute power in the cloud vary hugely by market forces.

          your $110K of GPU, whatever the hell that means, will be my cell phone soon enough

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...