SHA-1 collisions now at 2^{52}?

[Matt Blaze]

On May 2, 2009, at 5:53, Peter Gutmann wrote:

> "Perry E. Metzger" <perry at piermont.com> writes:
>> Greg Rose <ggr at qualcomm.com> writes:
>>> It already wasn't theoretical... if you know what I mean. The  
>>> writing
>>> has been on the wall since Wang's attacks four years ago.
>>
>> Sure, but this should light a fire under people for things like TLS  
>> 1.2.
>
> Why?
>
> Seriously, what threat does this pose to TLS 1.1 (which uses HMAC- 
> SHA1 and
> SHA-1/MD5 dual hashes)?  Do you think the phishers will even notice  
> this as
> they sort their multi-gigabyte databases of stolen credentials?
[snip]

I must admit I don't understand this line of reasoning (not to pick
on Perry, Greg, or Peter, all of whom have a high level of
crypto-clue and who certainly understand protocol design).

The serious concern here seems to me not to be that this particular
weakness is a last straw wedge that enables some practical attack
against some particular protocol -- maybe it is and maybe it isn't.
What worries me is that SHA-1 has been demonstrated to not have a
property -- infeasible to find collisions -- that protocol designers
might have relied on it for.

Security proofs become invalid when an underlying assumption is
shown to be invalid, which is what has happened here to many
fielded protocols that use SHA-1. Some of these protocols may well
still be secure in practice even under degraded assumptions, but to
find out, we'd have to analyze them again.  And that's a non-trivial
task that as far as I know has not been done yet (perhaps I'm wrong
and it has).  "They'll never figure out how to exploit it" is not,
sadly, a security proof.

Any attack that violates basic properties of a crypto primitive
is a serious problem for anyone relying on it, pretty much by
definition.

-matt

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com