SHA1 collisions proven possisble

• Previous message (by thread): SHA1 collisions proven possisble
• Next message (by thread): SHA1 collisions proven possisble
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Feb 23, 2017, at 2:59 PM, Ca By <cb.list6 at gmail.com> wrote:
> On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder <shortdudey123 at gmail.com> wrote:
> 
>> Coworker passed this on to me.
>> 
>> Looks like SHA1 hash collisions are now achievable in a reasonable time
>> period
>> https://shattered.io/
>> 
>> -Grant
> 
> 
> Good thing we "secure" our routing protocols with MD5

MD5 on BGP considered Harmful.

> :)

:-)

More seriously: The attack (or at least as much as we can glean from the blog post) cannot find a collision (file with same hash) from an arbitrary file. The attack creates two files which have the same hash, which is scary, but not as bad as it could be.

For instance, someone cannot take Verisign’s root cert and create a cert which collides on SHA-1. Or at least we do not think they can. We’ll know in 90 days when Google releases the code.

-- 
TTFN,
patrick

• Previous message (by thread): SHA1 collisions proven possisble
• Next message (by thread): SHA1 collisions proven possisble
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]