[Cryptography] Google announces practical SHA-1 collision attack

Perry E. Metzger perry at piermont.com
Mon Feb 27 09:27:34 EST 2017


On Mon, 27 Feb 2017 08:57:23 +0000
Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:

> Nikita Borisov <nikita at illinois.edu> writes:
> 
> >The cost estimates were around $500K at normal EC2 prices and $100K
> >at spot prices. I'd have imagined that nation states command rather
> >more resources than that!  
> 
> Lots of organisations, and even individuals, can scrape together that
> sort of money, but "resources" is more than just finding the money,
> it's being able to justify the expense and then take advantage of the
> product once you've spent it.  How would you justify spending several
> hundred $K (depending on which price level you manage to get) on a
> single forged cert?  And before someone leaps in with "I'm sure the
> Russian mafia would love to get a forged Google cert", and ignoring
> the fact that Google uses cert pinning to it wouldn't do much good
> anyway, what would "the Russian mafia" (the universal bogeyman) do
> with a Google cert that they aren't already doing without one?

So, as it happens, I know some organizations which have a definite
reason to worry about SHA-1 collisions being possible in this price
range. Yes, about mere ability to generate collisions and not
preimages. Sadly, I have an obligation to be very vague.  But let me
say, IMHO, although many or even most users don't have to panic, some
organizations absolutely do have reason for concern.

The other problem here, of course, is that as we've found out over and
over again in this business, merely because the average user of your
software or protocol is just protecting their grocery list doesn't
mean that someone with real risk isn't also going to use your
software. My classic example (which isn't relevant to the SHA-1 case
but is generally illustrative) is that the same instant message
software will be used by spouses telling each other to pick up more
eggs on the way home and by reporters talking to confidential sources.

It's all a question of what you're securing and how you are securing
it. Not everyone is trying to protect low value information.

Perry


More information about the cryptography mailing list