On Wed, 01 Mar 2017 22:57:06 -0600, James DeVincentis via NANOG said:
> - Google created a weak example. The difference in the document they
> generated was a background color. They didnât even go a full RGBA
> difference.
> They went from Red to Blue. Thatâs a difference of 4 bytes (R and B
On Wed, Mar 1, 2017 at 10:57 PM, James DeVincentis via NANOG
wrote:
> Let me add some context to the discussion.
> With specific regard to SSL certificates: "Are TLS/SSL certificates at risk?
> Any Certification
> Authority abiding by the CA/Browser Forum regulations is not allowed to issue
> S
On 3/1/2017 10:50 PM, James DeVincentis via NANOG wrote:
Realistically any hash function *will* have collisions when two items are
specifically crafted to collide after expending insane amounts of computing
power, money, and… i wonder how much in power they burned for this little stunt.
Easy
On Wed, Mar 1, 2017 at 7:57 PM, James DeVincentis via NANOG
wrote:
[ reasonable analysis snipped :) ]
> With all of these reasons all wrapped up. It clearly shows the level of hype
> around this attack is the result of sensationalist articles and clickbait
> titles.
I have trouble believing t
Let me add some context to the discussion.
I run threat and vulnerability management for a large financial institution.
This attack falls under our realm. We’ve had a plan in progress for several
years to migrate away from SHA-1. We’ve been carefully watching the progression
of the weakening of
I like the footnote they attached specifically for SHA1.
"[3] Google spent 6500 CPU years and 110 GPU years to convince everyone we need
to stop using SHA-1 for security critical applications. Also because it was
cool."
It’s also not preimage. This isn’t even a FIRST preimage attack. That tabl
On Thu, Mar 02, 2017 at 03:42:12AM +, Nick Hilliard wrote:
> James DeVincentis via NANOG wrote:
> > On top of that, the calculations they did were for a stupidly simple
> > document modification in a type of document where hiding extraneous
> > data is easy. This will get exponentially computat
James DeVincentis via NANOG wrote:
> On top of that, the calculations they did were for a stupidly simple
> document modification in a type of document where hiding extraneous
> data is easy. This will get exponentially computationally more
> expensive the more data you want to mask. It took nine q
Keep in mind botnets that large are comprised largely of IoT devices which have
very little processing power compared to the massive multi-core, high
frequency, high memory bandwidth (this is especially important for
cryptographic operations) CPUs in data centers. It doesn’t take much processing
On Wed, 01 Mar 2017 15:28:23 -0600, "james.d--- via NANOG" said:
> Those statistics are nowhere near real world for ROI. You'd have to invest
> at least 7 figures (USD) in resources. So the return must be millions of
> dollars before anyone can detect the attack. Except, it's already
> detectable.
le.
Google nullified their point of demonstrating the attack by showing it was
easily detectable.
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matt Palmer
Sent: Wednesday, March 1, 2017 1:34 PM
To: nanog@nanog.org
Subject: Re: SHA1 collisions proven possisble
On Tue
On Tue, Feb 28, 2017 at 01:16:23PM -0600, James DeVincentis via NANOG wrote:
> The CA signing the cert actually changes the fingerprint
The what? RFC5280 does not contain the string "finger".
> (and serial number, which is what is checked on revocation lists)
The CA doesn't "change" the serial
The CA signing the cert actually changes the fingerprint (and serial number,
which is what is checked on revocation lists), so this is not a viable
scenario. Beyond that, SHA1 signing of certificates has long been deprecated
and no new public CAs will sign a CSR and cert with SHA1.
> On Feb 27,
Once upon a time, valdis.kletni...@vt.edu said:
> There's only 2 certs. You generate 2 certs with the same hash, and *then* get
> the CA to sign one of them.
The point is that the signed cert you get back from the CA will have a
different hash, and the things that they change that cause the hash
On Mon, 27 Feb 2017 07:23:43 -0500, Jon Lewis said:
> On Sun, 26 Feb 2017, Keith Medcalf wrote:
>
> > So you would need 6000 years of computer time to compute the collision
> > on the SHA1 signature, and how much additional time to compute the
> > trapdoor (private) key, in order for the cert to be
On Sun, 26 Feb 2017, Keith Medcalf wrote:
So you would need 6000 years of computer time to compute the collision
on the SHA1 signature, and how much additional time to compute the
trapdoor (private) key, in order for the cert to be of any use?
1) Wasn't the 6000 years estimate from an article
On Mon, 27 Feb 2017 01:15:28 -0500, "Patrick W. Gilmore" said:
> In the example above, the CA knows the SHA-1 hash of the cert it issued. (We
> are assuming there is a CA which still does SHA-1.) How do you get that CA to
> believe the two OTHER certs with DIFFERENT hashes you have to create so yo
> 1. Create a certificate C[ert] for a single domain you control with hash h(c).
> 2. Create a second certificate A[ttack] marked as a certificate
>authority such that h(C) = h(A).
> 3. Have a certificate authority sign cert C
> 4. Present the signature for A along with A for whatever nefarious
On Mon, Feb 27, 2017 at 01:15:28AM -0500, Patrick W. Gilmore wrote:
> On Feb 26, 2017, at 21:16, Matt Palmer wrote:
> > Even better: I want a CA cert. I convince a CA to issue me a regular,
> > end-entity cert for `example.com` (which I control) in such a way that I can
> > generate another cert
On 26 February 2017 at 22:15, Patrick W. Gilmore wrote:
> Composed on a virtual keyboard, please forgive typos.
>
> On Feb 26, 2017, at 21:16, Matt Palmer wrote:
>>> On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilm
Composed on a virtual keyboard, please forgive typos.
On Feb 26, 2017, at 21:16, Matt Palmer wrote:
>> On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
>>> On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
>>> I repeat something I've said a couple times in t
> Git prefixes blobs with its own data. You're not going to break git with a
> SHA-1 binary collision.
http://www.metzdowd.com/pipermail/cryptography/2017-February/031623.html
On Sunday, 26 February, 2017 19:16 Matt Palmer said:
> On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
> > On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
> > > I repeat something I've said a couple times in this thread: If I can
> > > somehow create two
On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
> On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
> > I repeat something I've said a couple times in this thread: If I can
> > somehow create two docs with the same hash, and somehow con someone
> > into using
On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
>
> I repeat something I've said a couple times in this thread: If I can
> somehow create two docs with the same hash, and somehow con someone
> into using one of them, chances are there are bigger problems than a
> SHA1 hash coll
Patrick W. Gilmore wrote:
> I repeat something I've said a couple times in this thread: If I can
> somehow create two docs with the same hash, and somehow con someone
> into using one of them, chances are there are bigger problems than a
> SHA1 hash collision.
This collision turns a theoretical as
On Feb 25, 2017, at 17:44, Jimmy Hess wrote:
>> On Thu, Feb 23, 2017 at 2:03 PM, Patrick W. Gilmore
>> wrote:
>>
>> For instance, someone cannot take Verisign’s root cert and create a cert
>> which collides
>> on SHA-1. Or at least we do not think they can. We’ll know in 90 days when
>> Google
On Thu, Feb 23, 2017 at 2:03 PM, Patrick W. Gilmore wrote:
> For instance, someone cannot take Verisign’s root cert and create a cert
> which collides
> on SHA-1. Or at least we do not think they can. We’ll know in 90 days when
> Google releases the code.
Maybe. If you assume that no SHA atta
On Sat, 25 Feb 2017 09:26:28 -0800, Richard Hesse said:
> Git prefixes blobs with its own data. You're not going to break git with a
> SHA-1 binary collision. However, svn is very vulnerable to breaking.
And here's the proof-of-concept for svn breakage. Somebody managed to
make the WebKit svn tot
Git prefixes blobs with its own data. You're not going to break git with a
SHA-1 binary collision. However, svn is very vulnerable to breaking.
On Thu, Feb 23, 2017 at 3:11 PM, J. Hellenthal
wrote:
> It's actually pretty serious in Git and the banking markets where there is
> high usage of sha1.
On Feb 24, 2017, at 12:04 PM, Vincent Bernat wrote:
> ❦ 23 février 2017 21:16 -0500, "Patrick W. Gilmore" :
>
>> A couple things will make this slightly less useful for the attacker:
>> 1) How many people are not going to keep a copy? Once both docs are be
>> found to have the same
❦ 23 février 2017 21:16 -0500, "Patrick W. Gilmore" :
> A couple things will make this slightly less useful for the attacker:
> 1) How many people are not going to keep a copy? Once both docs are be
> found to have the same hash, well, game over.
But if a transaction is automated
❦ 23 février 2017 19:28 -0500, Jon Lewis :
>>> cost! However this in no way invalidates SHA-1 or documents signed by
>>> SHA-1.
>>
>> We negotiate a contract with terms favorable to you. You sign it (or more
>> correctly, sign the SHA-1 hash of the document).
>>
>> I then take your signed copy,
* valdis kletnieks:
> We negotiate a contract with terms favorable to you. You sign it (or more
> correctly, sign the SHA-1 hash of the document).
>
> I then take your signed copy, take out the contract, splice in a different
> version with terms favorable to me. Since the hash didn't change, yo
On 23 February 2017 at 20:59, Ca By wrote:
> On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder
> wrote:
>
> > Coworker passed this on to me.
> >
> > Looks like SHA1 hash collisions are now achievable in a reasonable time
> > period
> > https://shattered.io/
> >
> > -Grant
>
>
> Good thing we "secure
Especially if that "document" is a component of a ciphersuite exchange.
--Dave
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
valdis.kletni...@vt.edu
Sent: Thursday, February 23, 2017 9:22 PM
To: Ricky Beam
Cc: nanog@nanog.org
Subject: Re: SHA1
> On Feb 23, 2017, at 6:10 PM, Ricky Beam wrote:
>
> When you can do that in the timespan of weeks or days, get back to me.
Stop thinking in the context of bits of fake news on your phone. Start
thinking in the context of trans-national agreements that will soon be signed
by such keys.
--ly
On Thu, 23 Feb 2017 21:10:42 -0500, "Ricky Beam" said:
> When you can do that in the timespan of weeks or days, get back to me.
> Today, it takes years to calculate a collision, and you have to start with
> a document specifically engineered to be modified. (such documents are
> easily spotted upo
On Feb 23, 2017, at 9:08 PM, valdis.kletni...@vt.edu wrote:
> On Thu, 23 Feb 2017 20:56:28 -0500, "Patrick W. Gilmore" said:
>
>> According to the blog post, you can create two documents which have the same
>> hash, but you do not know what that hash is until the algorithm finishes. You
>> cannot
On Thu, 23 Feb 2017 18:21:19 -0500, wrote:
We negotiate a contract with terms favorable to you. You sign it (or
more correctly, sign the SHA-1 hash of the document).
...
When you can do that in the timespan of weeks or days, get back to me.
Today, it takes years to calculate a collision,
On Thu, 23 Feb 2017 20:56:28 -0500, "Patrick W. Gilmore" said:
> According to the blog post, you can create two documents which have the same
> hash, but you do not know what that hash is until the algorithm finishes. You
> cannot create a document which matches a pre-existing hash, i.e. the one i
On Feb 23, 2017, at 6:21 PM, valdis.kletni...@vt.edu wrote:
> On Thu, 23 Feb 2017 17:40:42 -0500, "Ricky Beam" said:
>
>> cost! However this in no way invalidates SHA-1 or documents signed by
>> SHA-1.
>
> We negotiate a contract with terms favorable to you. You sign it (or more
> correctly, sig
On Thu, 23 Feb 2017 19:28:44 -0500, Jon Lewis said:
> Doing it with an ASCII document, source code, or even something like a
> Word document (containing only text and formatting), and having it not be
> obvious upon inspection of the documents that the "imposter" document
> contains some "specific
On Thu, 23 Feb 2017, valdis.kletni...@vt.edu wrote:
On Thu, 23 Feb 2017 17:40:42 -0500, "Ricky Beam" said:
cost! However this in no way invalidates SHA-1 or documents signed by
SHA-1.
We negotiate a contract with terms favorable to you. You sign it (or more
correctly, sign the SHA-1 hash of
We just need to keep the likely timeline in mind.
As I saw someone say on Twitter today ... "don't panic, just deprecate".
Valeria Aurora's hash-lifecycle table is very informative (emphasis mine):
http://valerieaurora.org/hash.html
Reactions to stages in the life cycle of cryptographic hash fu
On Thu, 23 Feb 2017 17:40:42 -0500, "Ricky Beam" said:
> cost! However this in no way invalidates SHA-1 or documents signed by
> SHA-1.
We negotiate a contract with terms favorable to you. You sign it (or more
correctly, sign the SHA-1 hash of the document).
I then take your signed copy, take o
It's actually pretty serious in Git and the banking markets where there is high
usage of sha1. Considering the wide adoption of Git, this is a pretty serious
issue that will only become worse ten-fold over the years. Visible abuse will
not be near as widely seen as the initial shattering but esc
On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore
wrote:
More seriously: The attack (or at least as much as we can glean from the
blog post) cannot find a collision (file with same hash) from an
arbitrary file. The attack creates two files which have the same hash,
which is scary, but
On Thu, 23 Feb 2017 15:03:34 -0500, "Patrick W. Gilmore" said:
> For instance, someone cannot take Verisignâs root cert and create a cert
> which collides on SHA-1. Or at least we do not think they can. Weâll know
> in 90
> days when Google releases the code.
>From the announce:
"It is now
On Feb 23, 2017, at 2:59 PM, Ca By wrote:
> On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder wrote:
>
>> Coworker passed this on to me.
>>
>> Looks like SHA1 hash collisions are now achievable in a reasonable time
>> period
>> https://shattered.io/
>>
>> -Grant
>
>
> Good thing we "secure" our
On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder
wrote:
> Coworker passed this on to me.
>
> Looks like SHA1 hash collisions are now achievable in a reasonable time
> period
> https://shattered.io/
>
> -Grant
Good thing we "secure" our routing protocols with MD5
:)
>
Coworker passed this on to me.
Looks like SHA1 hash collisions are now achievable in a reasonable time
period
https://shattered.io/
-Grant
52 matches
Mail list logo
