Announcement

Collapse
No announcement yet.

Google Announces First Practical SHA1 Collision

Collapse
X
Collapse
 
  • Page of 4
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 template Next
  • #31
    Originally posted by AndyChow View Post

    You have either not read, or not understood, that paper.
    So exactly what does the linked paper say about cascading hashes? That it's exactly how I explained:
    A natural construction to build large hash values is to concatenate several smaller hashes. For example, given two hash functions F and G, it seams reasonable given a message M to form the large hash value (F(M)||G(M)). In this construction, F and G can either be two completely different hash functions or two slightly different instances of the same hash function. If F and G are good iterated hash functions with no attack better than the generic birthday paradox attack, we claim that the hash function F||G obtained by concatenating F and G is not really more secure than F or G by itself. Moreover this result applies both to collision restistance, preimage resistance and second preimage resistance.
    And to make matters worse here neither MD5 nor SHA1 even fulfil the requirements by this text since there exists better attacks against both than the generic birthday paradox, not to mention that even a generic birthday attack is MD5 is trivial.

    So having both a MD5 and a SHA1 hash does not make it any stronger than having only the SHA1 hash. Exactly why this is would take up far to much space here and I must therefore refer you to the linked paper.
    • Likes 1

    Comment

    • #32
      Originally posted by bug77 View Post

      The point is theoretical vulnerabilities have been known for a while. That article is 6 years old and only what I googled quickly while at work.
      That article wasn't about theoretical vulnerabilities. It was about the seemingly inevetable decrease in the cost of computing. This is a normaly type of analysis of crypto designs. If it takes X amount of processing to reasonably defeat a system, how long until a government can afford that? How long until organized crime? How long until a university? How long until someone who's bored and wants to play with AWS? That analysis of SHA1 hasn't changed and is still valid. How recent that analysis was done doesn't matter as the rate of computing cost per time is pretty constant. What that type of analysis leaves out is the possiblity that *some other kind of attack* can defeat the system more readily than was known at the time of the analysis. That is what has happened here. This is a new *class* of attack on SHA1. An unexpected one. Of course, they're always unexpected until they happen.

      Comment

      • #33
        Does anybody know if there is any plan for git to switch to a better hash?

        Originally posted by AndyChow View Post
        Still not really an issue. We typically use more than one type of checksum. Even if MD5 and SHA1 are falsifiable individually, they still aren't collideable together. So pass the SHA1, fails the MD5, doesn't help. Most times there are 3 different checksums done.

        And in that context, MD5 is still very useful. If it fails MD5, discard and move on. If it passes, then SHA1, SHA256, SHA512, then you know your file hasn't been tampered. Assuming the signature hasn't been compromised, which is more likely than trying to compromise the file by buffering it with some pixie magic that makes it collide.
        Do we? I am not aware of any protocol that allows signing more than one hash at once. Maybe openpgp allows it but even if it does, nobody uses that ability.
        In fact, an attacker could simply strip the signatures with the secure hashes and keep only the md5 hash, the message would probably be accepted as valid then.
        Last edited by float; 24 February 2017, 12:26 AM.

        Comment

        • #34
          Originally posted by karolherbst View Post
          The point of hashes are to identify or check the integrity of files of course. Sometimes I have to send financially relevant documents over the internets and I have scanned files for this. Of course it has to be proven somehow that those files weren't modified in between.

          And because e-governance is becoming a thing, this is getting more and more important by the day.
          If you're sending financial documents over the internet, you shouldn't be relying on mere checksums... you ought to be using full-on crypto - both encrypted and signed. Simply using a hash is no proof that the files weren't modified...

          Comment

          • #35
            Originally posted by Delgarde View Post

            If you're sending financial documents over the internet, you shouldn't be relying on mere checksums... you ought to be using full-on crypto - both encrypted and signed. Simply using a hash is no proof that the files weren't modified...
            they weren't critical, yet. But yes, if it is super important stuff, I would send them encrypted only.

            Comment

            Previous 1 2 3 4 template Next
            Working...
            X