[193782] in North American Network Operators' Group
Re: SHA1 collisions proven possisble
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Thu Feb 23 18:09:28 2017
X-Original-To: nanog@nanog.org
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <CAD6AjGT_gvTyifvQOU4z-PNmuCjxOm9DqBvjvomR-9Qvmkg1uw@mail.gmail.com>
Date: Thu, 23 Feb 2017 15:03:34 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Feb 23, 2017, at 2:59 PM, Ca By <cb.list6@gmail.com> wrote:
> On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder =
<shortdudey123@gmail.com> wrote:
>=20
>> Coworker passed this on to me.
>>=20
>> Looks like SHA1 hash collisions are now achievable in a reasonable =
time
>> period
>> https://shattered.io/
>>=20
>> -Grant
>=20
>=20
> Good thing we "secure" our routing protocols with MD5
MD5 on BGP considered Harmful.
> :)
:-)
More seriously: The attack (or at least as much as we can glean from the =
blog post) cannot find a collision (file with same hash) from an =
arbitrary file. The attack creates two files which have the same hash, =
which is scary, but not as bad as it could be.
For instance, someone cannot take Verisign=E2=80=99s root cert and =
create a cert which collides on SHA-1. Or at least we do not think they =
can. We=E2=80=99ll know in 90 days when Google releases the code.
--=20
TTFN,
patrick
