
The Cost of Creating Collisions Using SHA-1 - andygambles
https://casecurity.org/2014/11/18/the-cost-of-creating-collisions-using-sha-1/
======
guan
> One downside of these devices is that they are not reprogrammable, so one
> needs an FPGA designed to try SHA-1 hashes, and one cannot repurpose an FPGA
> built for BitCoin mining (since that performs SHA-2 hashes).

This is not accurate and I think they confused FPGAs with ASICs. The “FP” in
FPGA means “field programmable.” You do need a new design to use an FPGA for
SHA-1 instead of SHA-2, but there are probably plenty of SHA-1 implementations
out there, and the hardware stays the same.

~~~
13
Yes, that quote is incorrect. An FPGA is the epitome of reprogrammable
computing devices, they don't have memory within themselves and must load a
bitstream from an external memory device on every power cycle.

------
wwarren
" _Schneier’s analysis concludes that finding a SHA-1 collision would cost
approximately $700,000 USD by 2015, $173,000 USD by 2018, and $43,000 USD by
2021. These numbers are considered within the range of an organized crime
syndicate in 2018, and a university project by 2021._ "

I'd like to know where the organized crime syndicate budget numbers came from

~~~
ObviousScience
That criminals can't afford it when it's ~4x the price seems incredibly
suspicious.

Maybe it's not worth their money now, but I'm skeptical that having to pony up
~4x the money is going to stop an organized crime syndicate from being in
striking range of a collision.

It's already in the range of many mid-sized companies at that price point.

------
middleca
Schneier's estimate assumes rented hardware time, but purchased hardware and
multiple attempts would drive down the cost dramatically over time. This
estimate also doesn't include optimizations by leveraging previous cycles or
spends, or the impact of storing something like a rainbow table.

Given a government budget and time-scale, and ignoring sunk costs, I would
think a collision attack could already be in a negligible cost range for any
well funded sophisticated attacker that has setup shop.

edit: also that opinion post is 2 years old

------
corysama
I don't understand the conclusion that urges the move to sha256 certificates.
If the cost of an attack is going down by a factor of 1.5 every year and
sha256 is only 1.4x more expensive, then doesn't transitioning to sha256 only
serve delay the problem by less than a year?

~~~
13
You misparsed that line, it's talking about the time to complete a single hash
rather than the amount of relative time to find a collision. SHA256 has 128
bits of security to SHA1's heavily wounded <80 bits, there's a significant
increase in complexity between the two.

------
PhantomGremlin
Why bother with this at all? The weakest link is still the CAs. Corrupt one of
those and you've got "root" on most of the Internet.

E.g. the very first certificate my browser trusts is:

    
    
       TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
    

Huh? WTF? Why should I trust a CA owned by the "Turkish Military Force
Solidarity Foundation"? [1]

[1]
[http://en.wikipedia.org/wiki/Digital_signatures_and_law#Turk...](http://en.wikipedia.org/wiki/Digital_signatures_and_law#Turkey)

------
higherpurpose
> It has almost completely replaced older algorithms like MD2, MD4 and MD5

Ugh. I still see so many sites (quite popular ones, too) using MD5.

