brent timothy saner via plug on 10 Jan 2020 06:00:00 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] exploit breaks SHA-1

On 1/10/20 08:42, jeff via plug wrote:
> Users of GnuPG, OpenSSL and Git could be in danger from an attack that’s
> practical for ordinary attackers to carry out.

Original/canonical source/alert is at

However, the information as reported in this email is not...entirely
accurate. The damage is not as severe as one would think ever since
SHAttered[0] was announced and everyone worked to phase SHA1 out.

- Keys created using default options in GnuPG *legacy* versions (1.4,
not 2.x) are affected

- OpenSSL is most likely going to completely disable SHA1 in the default
security level (level 1). Debian, and probably others, use level 2 by
default instead of level 1.

- Git is not at risk, as SHA1 hashes are used to *identify* commits, not
*verify the integrity* of them. GPG sign-offs are used for the latter.

It is also NOT "practical for ordinary attackers" still:

"We implemented the entire chosen-prefix collision attack with those
improvements. This attack is extremely technical, contains many details,
various steps, and requires a lot of engineering work. In order to
perform this computation with a small academic budget, we rented cheap
gaming or mining GPUs from GPUserversrental, rather that the
datacenter-grade hardware used by big cloud providers. We have
successfully run the computation during two months last summer, using
900 GPUs (Nvidia GTX 1060).

As a side result, this shows that it now costs less than 100k USD to
break cryptography with a security level of 64 bits (i.e. to compute 264
operations of symmetric cryptography).


By renting a GPU cluster online, the entire chosen-prefix collision
attack on SHA-1 costed us about 75k USD. However, at the time of
conputation, our implementation was not optimal and we lost some time
(because research). Besides, computation prices went further down since
then, so we estimate that our attack costs today about 45k USD. As
computation costs continue to decrease rapidly, we evaluate that it
should cost less than 10k USD to generate a chosen-prefix collision
attack on SHA-1 by 2025."

For targeted org-level and state-level attacks, it's absolutely viable,
but it's quite far from the funding and resources available to "ordinary
attackers" still. We're not talking about breaking WEP PSKs or NTHash
hashes here. This will, of course, be more accessible with time and cost
improvements in hardware but it's not there yet.

But if you were using SHA1 still, even after SHAttered, for
integrity/verification purposes, you probably were already off to a bad
start before this was announced.


Attachment: signature.asc
Description: OpenPGP digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --