[Cryptography] Recent improvements on SHA-1 attacks
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Jan 7 06:41:36 EST 2020
An interesting paper has just appeared on the IACR e-print archive:
SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to
the PGP Web of Trust
https://eprint.iacr.org/2020/014.pdf
tl;dr: Attacks sped up by a factor of ~16 over previous work, chosen-prefix
collision for ~$75k and 2 months effort.
It's a long (32 pages) but interesting read. The only thing I have a bit of
an issue with is the conclusion:
SHA-1 signatures now offers virtually no security in practice
It should really be "SHA-1 signatures where the attacker has two months time
and tens of thousands of dollars (there are some cheaper options than $75k) to
prepare a forgery offer no security in practice".
Even then, the demonstrated attack relies on the ability to stuff arbitrary
garbage data into the signed message (in this case into a JPEG image after the
End-of-Image marker), so add:
"... and the ability to stuff arbitrary attacker-chosen data into the signed
message..."
to that.
Not trying to downplay the findings in the paper, but more to provide some
perspective on where the major risks lie for people who need to think about
the use of SHA-1 in legacy products and systems.
Peter.
More information about the cryptography
mailing list