SHA1 collisions proven possisble
oscar.vives at gmail.com
Fri Feb 24 12:16:38 UTC 2017
On 23 February 2017 at 20:59, Ca By <cb.list6 at gmail.com> wrote:
> On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder <shortdudey123 at gmail.com>
> > Coworker passed this on to me.
> > Looks like SHA1 hash collisions are now achievable in a reasonable time
> > period
> > https://shattered.io/
> > -Grant
> Good thing we "secure" our routing protocols with MD5
One place that use sha1 seems to be some banking gateways. They sign the
parameters of some request to authentificate the request has a valid one
doing something like "sha1( MerchantID . secureCode . TerminalID . amount .
exponent . moneyCode )". I have no idea how evil people would exploit
collisions here, but I guest banking will move to the next hash algorithm
(sha256?) and deprecate this one. This may affect more "Mom and Pa Online
Shop" than bigger services.
ℱin del ℳensaje.
More information about the NANOG