[193801] in North American Network Operators' Group
Re: SHA1 collisions proven possisble
daemon@ATHENA.MIT.EDU (Tei)
Fri Feb 24 07:16:43 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <CAD6AjGT_gvTyifvQOU4z-PNmuCjxOm9DqBvjvomR-9Qvmkg1uw@mail.gmail.com>
From: Tei <oscar.vives@gmail.com>
Date: Fri, 24 Feb 2017 13:16:38 +0100
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 23 February 2017 at 20:59, Ca By <cb.list6@gmail.com> wrote:
> On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder <shortdudey123@gmail.com>
> wrote:
>
> > Coworker passed this on to me.
> >
> > Looks like SHA1 hash collisions are now achievable in a reasonable time
> > period
> > https://shattered.io/
> >
> > -Grant
>
>
> Good thing we "secure" our routing protocols with MD5
>
> :)
>
>
> >
>
One place that use sha1 seems to be some banking gateways. They sign the
parameters of some request to authentificate the request has a valid one
doing something like "sha1( MerchantID . secureCode . TerminalID . amount .
exponent . moneyCode )". I have no idea how evil people would exploit
collisions here, but I guest banking will move to the next hash algorithm
(sha256?) and deprecate this one. This may affect more "Mom and Pa Online
Shop" than bigger services.
--=20
--
=E2=84=B1in del =E2=84=B3ensaje.
