[193783] in North American Network Operators' Group
Re: SHA1 collisions proven possisble
daemon@ATHENA.MIT.EDU (J. Hellenthal)
Thu Feb 23 18:11:28 2017
X-Original-To: nanog@nanog.org
From: "J. Hellenthal" <jhellenthal@dataix.net>
X-Google-Original-From: "J. Hellenthal" <jhellenthal@DataIX.net>
In-Reply-To: <op.yv4w94eitfhldh@rbeam.xactional.com>
Date: Thu, 23 Feb 2017 17:11:23 -0600
To: Ricky Beam <jfbeam@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
It's actually pretty serious in Git and the banking markets where there is h=
igh usage of sha1. Considering the wide adoption of Git, this is a pretty se=
rious issue that will only become worse ten-fold over the years. Visible abu=
se will not be near as widely seen as the initial shattering but escalate ov=
er much longer periods.
Take it serious ? Why wouldn't you !?
--=20
Onward!,=20
Jason Hellenthal,=20
Systems & Network Admin,=20
Mobile: 0x9CA0BD58,=20
JJH48-ARIN
On Feb 23, 2017, at 16:40, Ricky Beam <jfbeam@gmail.com> wrote:
> On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore <patrick@ianai.net>=
wrote:
> More seriously: The attack (or at least as much as we can glean from the b=
log post) cannot find a collision (file with same hash) from an arbitrary fi=
le. The attack creates two files which have the same hash, which is scary, b=
ut not as bad as it could be.
Exactly. This is just more sky-is-falling nonsense. Of course collisions exi=
st. They occur in every hash function. It's only marginally noteworthy when s=
omeone finds a collision. It's neat the Google has found a way to generate a=
pair of files with the same hash -- at colossal computational cost! However=
this in no way invalidates SHA-1 or documents signed by SHA-1. You still ca=
nnot take an existing document, modify it in a meaningful way, and keep the s=
ame hash.
[Nor can you generate a blob to match an arbitrary hash (which would be deat=
h of all bittorrent)]
