1 |
On Mon, Feb 27, 2017 at 9:46 AM, Andrew Savchenko <bircoph@g.o> wrote: |
2 |
> |
3 |
> So danger of SHA1 collision is much closer than |
4 |
> 9,223,372,036,854,775,808 SHA1 computations or 1 110-GPU year. |
5 |
|
6 |
Indeed in every way it is closer than that than when Google started |
7 |
their project, and tomorrow it will be closer still. |
8 |
|
9 |
The subject line shouldn't really be "SHA-1 has just been broken" but |
10 |
"Another recent confirmation of SHA-1 being broken." We've known it |
11 |
has been broken for quite a while. |
12 |
|
13 |
In the same way, DES wasn't broken when the EFF built their ASIC-based |
14 |
machine. That was just the final nail in the coffin. Anybody who |
15 |
waited for somebody to actually build that machine (and I'd be shocked |
16 |
if bigger players than the EFF didn't have such a machine much sooner) |
17 |
was deluded. |
18 |
|
19 |
When somebody discovers an attack on a hash function that greatly |
20 |
reduces the cost to generate collisions into a number that is even |
21 |
remotely forseeable in the next decade, it is time to stop using that |
22 |
hash function. Sheer inertia ensures that even if everybody started |
23 |
changing overnight it probably would still cause problems when the |
24 |
attacks start getting practical. |
25 |
|
26 |
Sure, there are threat models where it doesn't matter, but on the |
27 |
SHA-1 front it seems like people have been underestimating their |
28 |
exposure. Certainly Gentoo has exposure until git is fixed and the |
29 |
active tree has non-SHA-1 hashes. Even then the historical tree is |
30 |
vulnerable if we don't rehash everything, though in practice I don't |
31 |
think that matters as much, and obviously slipping a non-preimage |
32 |
collision into the historical tree is impossible unless it is done |
33 |
before the hash functions are changed. |
34 |
|
35 |
Sure, you can wave your hands about how hard it is to expoit in |
36 |
practice, and I agree with many of these arguments. However, SHA-1 |
37 |
should be viewed as a vulnerability and fixing it as a priority. For |
38 |
Gentoo specifically it isn't really the weakest link in the chain as |
39 |
was pointed out in the other thread, so I'm not sure I'd go rushing |
40 |
out to fork git. Still, we shouldn't be entirely comfortable with git |
41 |
as it stands at the moment. |
42 |
|
43 |
-- |
44 |
Rich |