SHA1 collisions proven possisble
Patrick W. Gilmore
patrick at ianai.net
Thu Feb 23 20:03:34 UTC 2017
On Feb 23, 2017, at 2:59 PM, Ca By <cb.list6 at gmail.com> wrote:
> On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder <shortdudey123 at gmail.com> wrote:
>> Coworker passed this on to me.
>> Looks like SHA1 hash collisions are now achievable in a reasonable time
> Good thing we "secure" our routing protocols with MD5
MD5 on BGP considered Harmful.
More seriously: The attack (or at least as much as we can glean from the blog post) cannot find a collision (file with same hash) from an arbitrary file. The attack creates two files which have the same hash, which is scary, but not as bad as it could be.
For instance, someone cannot take Verisign’s root cert and create a cert which collides on SHA-1. Or at least we do not think they can. We’ll know in 90 days when Google releases the code.
More information about the NANOG