
SHA-1 collisions now cost $45k [pdf] - AndrewDucker
https://eprint.iacr.org/2020/014.pdf
======
dang
Big discussion of the same material from 4 months ago:
[https://news.ycombinator.com/item?id=21979333](https://news.ycombinator.com/item?id=21979333)

Please don't editorialize titles. This one broke the site guidelines badly.

Cherry-picking the detail you think is most important from an article is
editorializing. Threads are sensitive to initial conditions and the title is
the dominant initial condition, so this is a big deal. Being the first (or
luckiest) user to submit an article doesn't confer any special right to frame
it for everyone else. HN readers should make up their own minds about what
parts of an article are important.

If you want to say what you think is important about an article, that's fine,
but do so in the comments. Then your view will be on a level playing field
with everyone else's:
[https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=by%3Adang%20%22level%20playing%20field%22&sort=byDate&type=comment)

------
tyingq
HTML summary of the same content, by the same authors: [https://sha-
mbles.github.io/](https://sha-mbles.github.io/)

~~~
haunter
Nice URL

------
est31
As a reaction, Openssh will deprecate SHA-1 support in a future release:
[http://www.openssh.com/txt/release-8.3](http://www.openssh.com/txt/release-8.3)

The test fails on my OpenWRT 19.07.03 router's Dropbear installation.

------
wiz21c
It also cost 2 months (FTA)... So the ever returning question is : how long
does it take when NSA/military/government-levle funding is applied ?

~~~
veonik
It would scale linearly right? Double the amount of computing thrown at it,
you'd half the time on average. Or am I mistaken?

~~~
finnh
And of course double the compute for half the time = same cost (more or less).
I would imagine the NSA has sunk enough into hardware to do this fairly
cheaply per-pass, and very quickly (hours not weeks).

~~~
tialaramex
Cloud computing makes this true for everybody else too now, at least within a
practical range. Now I can easily afford a multi-million dollar distributed
compute facility... for a few hours, rented from Amazon.

I'd be surprised if the NSA has a clear purpose for bulk colliding SHA-1. It's
a pretty niche thing to want to do even compared to say, "cracking" DES. For
MD5 we know such government agencies made some collisions to exploit various
technologies that didn't stop trusting MD5 in a timely fashion, but it wasn't
something they did a _lot_ just one collision here or there as necessary. e.g.
[https://en.wikipedia.org/wiki/Flame_(malware)](https://en.wikipedia.org/wiki/Flame_\(malware\))

~~~
minhazm
This isn't actually true in practice though. Most of the cloud providers have
quota's on accounts and actually won't let you provision that many resources
without getting the quota's increased, which you are unlikely to be able to do
unless you're actually regularly spending that much money.

------
rudolph9
One of the best things to come out of protocol labs is
[https://multiformats.io/](https://multiformats.io/)

Really simple mechanisms for things like identifying the hash algorithm and
gives you a programmatic way of supporting new hash algorithms without
breaking or changing anything that depends on the old.

~~~
tmcw
The PHC string format [https://github.com/P-H-C/phc-string-
format/blob/master/phc-s...](https://github.com/P-H-C/phc-string-
format/blob/master/phc-sf-spec.md) (used by stuff like Rust's
LibreAuth/BoringAuth) is a less fancy but probably better-suited-to-passwords
solution, because it can indicate salt values and additional parameters.

------
cellularmitosis
Not knowing much about binary executable formats, what does this mean for
binary executables or libraries? How easy is it to insert e.g. a remote shell
or keystroke logger into an executable or library using only a prefix? Or
would that require arbitrary in-place edits to a file?

~~~
guipsp
If you control the executable then it's easy. If you can only append then it's
harder.

------
dependenttypes
Is git fixed yet?

~~~
est31
If you wonder whether Git supports non-sha1 hashes yet, then it's not ready
yet. But it is "fixed" in that it includes code to detect sha1 collisions:

[https://github.com/git/git/commit/28dc98e343ca4eb370a29ceec4...](https://github.com/git/git/commit/28dc98e343ca4eb370a29ceec4c19beac9b5c01e)

------
johannesgoslar
Not a crypto expert, how easy/hard it is with this (or other techniques) at
the moment to generate a random file which matches a given SHA1 hash? Can have
totally random bits lets say.

~~~
gregmac
What's been done here is a chosen-prefix collision attack [1] where the
attacker can produce two files that have the same hash. What you're asking
about is a preimage attack [2] where one of the files is already created and
the attacker can't influence it.

The practical attack enabled here is mostly around digital signatures. An
attacker could produce documents A and B that both have the same SHA-1. They
can then get someone to sign document A (which really is signing the _SHA-1 of
document A_ ), then use the signature with document B and make it look like
they have a document B signed with a valid signature.

As an example, if document A is a regular SSL certificate request, and
document B is a "CA certificate", the attacker can trick a real CA into
signing a rogue CA into existence, which can then sign its own certificates
that will be trusted by every browser. This has already happened with MD5 in
2008 [3].

[1]
[https://en.wikipedia.org/wiki/Collision_attack](https://en.wikipedia.org/wiki/Collision_attack)

[2]
[https://en.wikipedia.org/wiki/Preimage_attack](https://en.wikipedia.org/wiki/Preimage_attack)

[3] [http://www.phreedom.org/research/rogue-
ca/](http://www.phreedom.org/research/rogue-ca/)

~~~
dependenttypes
It should be noted that certain modern signature schemes (such as ed25519) are
fine with just preimage resistance.

------
thanksforfish
Remember, collisions can be reused[1] to create lots of pairs of files with
the matching hashes.

[1] [https://alf.nu/SHA1](https://alf.nu/SHA1)

------
ww520
How safe is SHA-256 now? Or Is SHA-512 needed in the near future?

~~~
LeoPanthera
Well, there's already a SHA-512.

But none of the SHA family of hashes have ever been recommended for passwords,
not because they are weak, but because they are too fast.

For other purposes, the logical successor to SHA-256/512 is SHA-3:

[https://en.wikipedia.org/wiki/SHA-3](https://en.wikipedia.org/wiki/SHA-3)

But this is far from the only choice. Hashing algorithms are trendy right now,
and there's plenty to choose from.

~~~
dependenttypes
I am not sure why you mentioned passwords. Collision attacks do not affect the
use of hash functions for password hashing.

------
dokument
I understand not wanting to use SHA-1 now for security reasons, but is it
still an OK practice to use it as a general hashing function for a uuid/data
checksum?

~~~
a1369209993
> is it still an OK practice to use it as a general hashing function for a
> uuid/data checksum?

No. If you don't care about collision resistance, use MD5. It's faster, it's
smaller, and it makes it obvious to everyone than your software isn't supposed
to rely on collision resistance.

~~~
mD5pPxMcS6fVWKE
No. MD5 is a cryptographic hash function. For the purposes stated one uses a
non-cryptographic hash function, such as seahash. The difference is the latter
is much faster but does not provide protection against an intentional
collision.

~~~
a1369209993
1: MD5 still provides preimage resistance (both first and second), which is
sometimes useful.

2, and my real objection:

    
    
      $ md5sum /dev/null
      d41d8cd98f00b204e9800998ecf8427e  /dev/null
      $ seahashsum /dev/null
      <stdin>:2:0: seahashsum: command not found
    

That said, my main point was _don 't_ use SHA-1, because if you actually need
a half-broken hash function for something, MD5 has all the same properties
(good and bad) for cheaper.

------
xwdv
What could get the cost down even lower?

~~~
mxz3000
Cheaper/faster hardware probably

