[193778] in North American Network Operators' Group
Re: SHA1 collisions proven possisble
daemon@ATHENA.MIT.EDU (Ricky Beam)
Thu Feb 23 17:40:47 2017
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
Date: Thu, 23 Feb 2017 17:40:42 -0500
From: "Ricky Beam" <jfbeam@gmail.com>
In-Reply-To: <EBD013B2-5045-46FF-8CBB-61B38EC09A36@ianai.net>
Errors-To: nanog-bounces@nanog.org
On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore <patrick@ianai.net>
wrote:
> More seriously: The attack (or at least as much as we can glean from the
> blog post) cannot find a collision (file with same hash) from an
> arbitrary file. The attack creates two files which have the same hash,
> which is scary, but not as bad as it could be.
Exactly. This is just more sky-is-falling nonsense. Of course collisions
exist. They occur in every hash function. It's only marginally noteworthy
when someone finds a collision. It's neat the Google has found a way to
generate a pair of files with the same hash -- at colossal computational
cost! However this in no way invalidates SHA-1 or documents signed by
SHA-1. You still cannot take an existing document, modify it in a
meaningful way, and keep the same hash.
[Nor can you generate a blob to match an arbitrary hash (which would be
death of all bittorrent)]
