[Cryptography] Google announces practical SHA-1 collision attack

[Peter Gutmann]

Nikita Borisov <nikita at illinois.edu> writes:

>The cost estimates were around $500K at normal EC2 prices and $100K at spot
>prices. I'd have imagined that nation states command rather more resources
>than that!

Lots of organisations, and even individuals, can scrape together that sort of
money, but "resources" is more than just finding the money, it's being able to
justify the expense and then take advantage of the product once you've spent
it.  How would you justify spending several hundred $K (depending on which
price level you manage to get) on a single forged cert?  And before someone
leaps in with "I'm sure the Russian mafia would love to get a forged Google
cert", and ignoring the fact that Google uses cert pinning to it wouldn't do
much good anyway, what would "the Russian mafia" (the universal bogeyman) do
with a Google cert that they aren't already doing without one?  

So what's left is things like TAO, for whom it might actually be worthwhile
spending $100K or $500K or whatever on a forged cert (no-one nows what the
Flame cert cost), although from everything we know from Snowden there are lots
of ways of achieving their desired goal without spending that much on a single
cert.

I've just finished writing up an RFC security considerations section on SHA-1
that analyses its effect on a particular protocol, and after going through all
the possibilities the outcome is "yes, you could have a go at this, but apart
from proving you can do a SHA-1 forgery there's no benefit to it".  That's the
"resources" thing, the ability to (a) fund it, (b) justify spending that much
to your boss, and (c) exploit it once you've got it.

Peter.