New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SHA1 is Shattered
Who's still using it?
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Thanked by 12hostingwizard_net raindog308 rds100 imok GCat Clouvider stefeman netomx FlamesRunner Yura Darwin Pwner
This discussion has been closed.
Comments
_And don't forget to include the domain if you use it. _
OK md5 people, you can safely migrate to Sha-1 now.
Plain text no encryption for life.
YOLO
SHA-1 Bruteforce -- 12 000 000 GPU's for 1 year... vs MD5 30 sec. on Smartphone
And so it begins..
I wonder when is RSA 1024's time?
I doubt that NSA already break it. They just pretend it can't
Why the NSA? With the state of the Russian economy, the FSB probably has access to a larger talent pool of researchers who can do this. They just don't publish.
All cryptography is breakable, just depends on how much time you can take and how much CPU/GPU power you have.
Though, finding weaknesses in the algo and reducing the # of potential answers clearly saves a few years of Moore's law.
A true one-time password scheme is provably unbreakable. Doesn't matter if you have all the computing power from the 35th century and a galaxy of geniuses.
However, the trick there is maintaining a key as big as your message...though the scheme is widely used by people who can dedicate the resources (e.g., governmnets, etc.) Though even then...
Depends on how you value your target. For example you have 12 000 000 GPU's and can spare 1 year for bruteforce. By the time you finish the costs will be bigger than the importance of target.
Cryptography goal is not to be unbreakable - the goal is to be unworthy to brake.
@jarland, you were right when you said "every damn time"...
False. That's your interpretation.
All I'm saying is that there have been no new vulnerabilities discovered in plain text communication in years.
I still use md5 quite a bit - but not for crypto. It's many times faster than SHA and if you're just comparing a bunch of files to see if any are identical or something like that, md5 is fine.
Indubitably, my friend.
Open a newspaper or site. Plain text is exploitable as all hell. People find stuff in it that isn't there from the start.
I'm really getting tired of you talking about my mother like that.
That's why you XOR your original data by a single value, gzip, then base64 it (XOR it twice for another layer of protection).
As mentioned, there's always going to be some way to do this- I found it interesting that they intentionally strove to cause this collision by using a PDF. What's next? NeWS hackers?
I read about those a while back but the details are sketchy... it's not strictly crypto but more of a process?
I think the same case example was done with MD5, with the shock value of it being important document + manipulated data.
I assumed it was more due to the way PDF is basically Postscript, and literally bitfiddling things without many changes to the structure of the document is required to have things which look quite different, but have marginal differences under the hood. So, yeah, I was being a smartass.
Smart arsery on here... never
For a start -> I find it excessively funny that Sha1 being "broken" creates so much reaction while "let's encrypt handed out cert for non existing domain" isn't even noticed although that's a way more grave problem ...
Does anyone still use Sha1? Yes. I for one do.
Of course not (anymore) as a cryptographic quality hash but there are plenty of things where one needs a halfway decent hash plus a well established one. Which ("well established") btw. is a much more massive problem than Sha1 being "broken".
"All cryptography is breakable, just depends on how much time you can take and how much CPU/GPU power you have."
Nope, wrong. Much in the crypto world is about one-way functions which have the property, simply speaking, that in one direction it's simple while in the other direction (cracking) it's gazillion times more difficult. Worked quite well so far and is mathematically well understood.
Second and even more important factor: size and complexity. Once one needed all existing atoms in the universe in a computer powerful enough to break crypto with a not insignificant chance it becomes practically infeasible.
That said, forget it in case what I just wrote gave you the impression that crypto is secure. It isn't - but hardly due to crypto (or ever more GPUs). It's insecure because it runs on tainted processors, lousy OSs, wanky libraries and is usually written in languages that are utterly inadequate for the job.
Plus, also a very major factor, large parts of crypto are a mirror cabinet strongly influenced by the secret services.
Chances are that you are fuckable if you run with the herd. Unfortunately, chances are also that nobody can communicate with you if you don't run with the herd.
I'd have thought all fit that description of one-way hashing, but don't see how it negates my statement.
Yeah it works, but as for understood... it's really in the realm of the creator and anyone looking to prove weakness. They've proven weakness here.
Not really, as I said it depends how long you have and how much processing power you have. Brute forcing simply works, but takes longest when there are no proven weakness in the crypto algo. Secondly, regardless of the number of atoms in the universe, a quantum computer theoretically will make trivial work of all existing classical cryptography, so there's that.
Best leave it to the maths geniuses and take their word on it
I think we're all in that boat.
Is it a part of speech or a fact?
I think this is just one of @bsdguy 's pet peeves, because it does seem rather strange that LE pops out of nowhere with magic money to give us free certificates.
I mean, c'mon, Symantec vends shit certificates all the time.
I would rather doubt on other Certificate authorities than LE. it's backed by EFF - Privacy watchdog
Because I feel it's not as automated as LE is. I agree that LE might still have some bugs/security flaws. But ACME protocol is way better than other certification issuance techniques.
I've been an EFF supporter for years, but I'm trying to play the part of @bsdguy here- I assume he feels it's being fed moneys by either a shadow government or the existing ones.
It's buggy and sometimes annoying to handle certbot, but have acmetool? You'll get by. https://github.com/hlandau/acme
Sorry, no.
The amount of computing power is limited and will always be limited by the number of atoms and/or by the energy available in the universe.
As for "understood". We (well, the cryptologists) do understand the math behind crypto.
Looking at, for instance, openssl shows that it's indeed social factors and human weaknesses that make it insecure.
Two examples: a) anything written in C can not be proven correct, period. Yet it's still widely used (incl. by myself) for reasons that come down to social or practical ones or to the human factor. b) The reason for crappy insecure old crypto still being there is not that we don't have better ones but mostly social and human factor ones. Like decade old expensive application in banking and industry that would break without those old algorithms (sometimes they even rely on well known errors).
And, please, keep the perspective in mind and the relativity of professional language. When, for instance, a cryptologist says that algorithm xyz is broken then he does very rarely mean that it's broken in terms of what laymen think. It merely means that its safety has crossed below a certain bounds (usually in the range of 2^80 to 2^100). The other important thing to understand is that what's 12.000 GPUs today might be a processor that is widely available and within financial reach of many.
Finally let me offer you an extremely simple challenge (simple in the view of crptologists): I give you some "shitty" 64 bit random number series (64 bit is really, really lousy and way below what's considered even mildly secure). Just tell me the next number to come in the series ...
_8aa02b1c4ae79143, bad30719325a7567, 586922291422fbbf, ec8fbdeaeeae2e69
ade5a8a9e7dac6d9, 8fce91ed78bdd0aa, 6dc3b7c42fec5568, ???
_
In case you fail, don't worry; even nsa would need a couple of days (or more) to find the next in the series (in part because the prng I used is not wide spread and because I used some uncommon but hq seeding). Would they make that effort to, say, crack some communication between you and me? Hardly. And this is just lousy 64 bits.
linear prediction itt
Hacker news, yesterday. "Let's Encrypt appears to issue a certificate for a domain that doesn't exist".
Funnily the twitter vanished but the discussions how that LE is not 100% straight.