| 1 |
On Mon, Feb 27, 2017 at 9:46 AM, Andrew Savchenko <bircoph@g.o> wrote: |
| 2 |
> |
| 3 |
> So danger of SHA1 collision is much closer than |
| 4 |
> 9,223,372,036,854,775,808 SHA1 computations or 1 110-GPU year. |
| 5 |
|
| 6 |
Indeed in every way it is closer than that than when Google started |
| 7 |
their project, and tomorrow it will be closer still. |
| 8 |
|
| 9 |
The subject line shouldn't really be "SHA-1 has just been broken" but |
| 10 |
"Another recent confirmation of SHA-1 being broken." We've known it |
| 11 |
has been broken for quite a while. |
| 12 |
|
| 13 |
In the same way, DES wasn't broken when the EFF built their ASIC-based |
| 14 |
machine. That was just the final nail in the coffin. Anybody who |
| 15 |
waited for somebody to actually build that machine (and I'd be shocked |
| 16 |
if bigger players than the EFF didn't have such a machine much sooner) |
| 17 |
was deluded. |
| 18 |
|
| 19 |
When somebody discovers an attack on a hash function that greatly |
| 20 |
reduces the cost to generate collisions into a number that is even |
| 21 |
remotely forseeable in the next decade, it is time to stop using that |
| 22 |
hash function. Sheer inertia ensures that even if everybody started |
| 23 |
changing overnight it probably would still cause problems when the |
| 24 |
attacks start getting practical. |
| 25 |
|
| 26 |
Sure, there are threat models where it doesn't matter, but on the |
| 27 |
SHA-1 front it seems like people have been underestimating their |
| 28 |
exposure. Certainly Gentoo has exposure until git is fixed and the |
| 29 |
active tree has non-SHA-1 hashes. Even then the historical tree is |
| 30 |
vulnerable if we don't rehash everything, though in practice I don't |
| 31 |
think that matters as much, and obviously slipping a non-preimage |
| 32 |
collision into the historical tree is impossible unless it is done |
| 33 |
before the hash functions are changed. |
| 34 |
|
| 35 |
Sure, you can wave your hands about how hard it is to expoit in |
| 36 |
practice, and I agree with many of these arguments. However, SHA-1 |
| 37 |
should be viewed as a vulnerability and fixing it as a priority. For |
| 38 |
Gentoo specifically it isn't really the weakest link in the chain as |
| 39 |
was pointed out in the other thread, so I'm not sure I'd go rushing |
| 40 |
out to fork git. Still, we shouldn't be entirely comfortable with git |
| 41 |
as it stands at the moment. |
| 42 |
|
| 43 |
-- |
| 44 |
Rich |
Archives