SHA1 collisions proven possisble

Tei oscar.vives at gmail.com
Fri Feb 24 12:16:38 UTC 2017


On 23 February 2017 at 20:59, Ca By <cb.list6 at gmail.com> wrote:

> On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder <shortdudey123 at gmail.com>
> wrote:
>
> > Coworker passed this on to me.
> >
> > Looks like SHA1 hash collisions are now achievable in a reasonable time
> > period
> > https://shattered.io/
> >
> > -Grant
>
>
> Good thing we "secure" our routing protocols with MD5
>
> :)
>
>
> >
>


One place that use sha1 seems to be some banking gateways.  They sign the
parameters of some request to authentificate the request has a valid one
doing something like "sha1( MerchantID . secureCode . TerminalID . amount .
exponent . moneyCode )".    I have no idea how evil people would exploit
collisions here, but I guest banking will move to the next hash algorithm
(sha256?) and deprecate this one.   This may affect more "Mom and Pa Online
Shop" than bigger services.


-- 
--
ℱin del ℳensaje.



More information about the NANOG mailing list