Google announces the first SHA-1 collision (no don't panic just yet)

[LucidMew]

https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

 

with, *ahem*

Quote

• Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
• 6,500 years of CPU computation to complete the attack first phase
• 110 years of GPU computation to complete the second phase

I don't know how long that would take on an enthusiast computer (with 6950X + SLI TitanXP), but that's a long time.

 

Google has managed to create two PDFs that SHA1 to the same hash

 

 

by messing with the way the PDF was generated. (image from Google)

 

 

 

Even though SHA1 was deprecated back in 2011, people still use it (kinda like XP), and theoretical attacks have been known since 2005, it's still used today (in things from Databases to Git to security certificates).

 

from https://shattered.io/ and the same thing again at https://shattered.it/ (both owned by Google) 

Quote

Starting from version 56, released in January 2017, Chrome will consider any website protected with a SHA-1 certificate as insecure. Firefox has this feature planned for early 2017.

 

if you want to run the program that Google used, to create your own SHAttered PDF, then you're going to have to wait a bit.

Quote

Following Google’s vulnerability disclosure policy, we will wait 90 days before releasing code that allows anyone to create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions.

 

though if you were thinking of trying to use it in the real world, then you're SOL

Quote

In order to prevent this attack from active use, we’ve added protections for Gmail and GSuite users that detects our PDF collision technique. Furthermore, we are providing a free detection system to the public.

 

[vorticalbox]

7 minutes ago, LucidMew said:

I don't know how long that would take on an enthusiast computer (with 6950X + SLI TitanXP), but that's a long time

I would take the number of years it stated. If you have a GPU time of 10 years. on one GPU if would take 10 years, with two GPUs it would take 5 years. Sure these attacks take a long time but it could be worth the cost of computing power in the long run.

[Jinchu]

While the impact of this on the real life might be minimal, this has academic value. This type of attack has been theorized for 10 years. Now someone has done it. 

 

10 hours ago, vorticalbox said:

Sure these attacks take a long time but it could be worth the cost of computing power in the long run.

I understood the GPU time the same way. It is noteworthy that one determined to do this kind of attack would be better of renting computation time from cloud than buying a ton of GPU:s. It is cheaper and you can rent a ton of power for short amount of time. 

[vorticalbox]

2 minutes ago, Jinchu said:

I understood the GPU time the same way. It is noteworthy that one determined to do this kind of attack would be better of renting computation time from cloud than buying a ton of GPU:s. It is cheaper and you can rent a ton of power for short amount of time. 

To put things into perspective, let the Bitcoin network hashrate (double SHA256 per second) = B and the number of SHA1 hashes calculated in shattered = G.

B = 3,116,899,000,000,000,000

G = 9,223,372,036,854,775,808

Every three seconds the Bitcoin mining network brute-forces the same amount of hashes as Google did to perform this attack.

[Jinchu]

1 minute ago, Jinchu said:

-- snip

Apparently amazon offers discounts, when you use the computation there are available computation cycles.  source: https://aws.amazon.com/ec2/spot/pricing/

[Sniperfox47]

1 hour ago, Jinchu said:

Apparently amazon offers discounts, when you use the computation there are available computation cycles.  source: https://aws.amazon.com/ec2/spot/pricing/

Which would result in a total cost of ~$100,000 using p2.8xlarge instances at the current pricing. So totally doable.

[Mooshi]

The nerdiness is overwhelming. 

[dfsdfgfkjsefoiqzemnd]

When supplying checksums I always supply SHA-1 and SHA-256, good luck making both match simultaneously. 

[BuckGup]

10 hours ago, vorticalbox said:

To put things into perspective, let the Bitcoin network hashrate (double SHA256 per second) = B and the number of SHA1 hashes calculated in shattered = G.

B = 3,116,899,000,000,000,000

G = 9,223,372,036,854,775,808

Every three seconds the Bitcoin mining network brute-forces the same amount of hashes as Google did to perform this attack.

That's actually insane. Wait since we still don't know the creator maybe it was made to brute for encryptions like this.

[Sephiroth]

Care to explain this like I'm 5?

[ionbasa]

2 hours ago, Sephiroth said:

Care to explain this like I'm 5?

A hash is analogous to a fingerprint. Each unique file has a different fingerprint. Its how we verify a file hasn't been tampered with, modified, or damaged.

Google made two different files have the same fingerprint. 

[LucidMew]

2 hours ago, Sephiroth said:

Care to explain this like I'm 5?

A hash is a way to map a file to a (big) number. This really big file that we already sent over is really big and I don't want to repeat myself (for various reasons), so here is a (unique) representation of the file, in much much shorter length. It's done for many various reasons, but one of them is for file integrity. How do we know that the file you download didn't get corrupted on its way from the server's HDD through the internet and to your HDD, because the sun's rays hit it and flipped a 0 to a 1. Well, a hash would detect it and say "heeyyy wait a second, this file's number is 8c0ea43..... when it's supposed to be ab3ae95.... way different"

A simple hash can be as simple as "take each 64 bit block in the and sum it up, if we get an overflow, just ignore it" and at the end you get a number, that number is the "hash" of the file. And if a bit was flipped somewhere, that would change the sum, which would clue us in to that something doesn't match up.

 

Now take that, and scale it wayyy up in terms of technowords and cryptography and a bunch of smart people have said "this is secure" and then a bunch of smarter people still said "uhhh no it's not, here's a way to theoretically make two different files have the same number" and then a bunch of even smarter people said "look at these two different files that have the same hash"

 

There's always someone smarter than you, which is why you don't roll your own crypto *cough* ^telegram *cough* but that's a topic for another day.

[TopWargamer]

[RagnarokDel]

19 hours ago, vorticalbox said:

I would take the number of years it stated. If you have a GPU time of 10 years. on one GPU if would take 10 years, with two GPUs it would take 5 years. Sure these attacks take a long time but it could be worth the cost of computing power in the long run.

From what I understand, that's just a probability. It could be way faster.  You could get lucky and get it in 5 minutes.

[vorticalbox]

19 minutes ago, RagnarokDel said:

From what I understand, that's just a probability. It could be way faster.  You could get lucky and get it in 5 minutes.

yes that is always a chance, I always go with worse case.

[potoooooooo]

4 hours ago, LucidMew said:

A hash is a way to map a file to a (big) number. This really big file that we already sent over is really big and I don't want to repeat myself (for various reasons), so here is a (unique) representation of the file, in much much shorter length. It's done for many various reasons, but one of them is for file integrity. How do we know that the file you download didn't get corrupted on its way from the server's HDD through the internet and to your HDD, because the sun's rays hit it and flipped a 0 to a 1. Well, a hash would detect it and say "heeyyy wait a second, this file's number is 8c0ea43..... when it's supposed to be ab3ae95.... way different"

A simple hash can be as simple as "take each 64 bit block in the and sum it up, if we get an overflow, just ignore it" and at the end you get a number, that number is the "hash" of the file. And if a bit was flipped somewhere, that would change the sum, which would clue us in to that something doesn't match up.

 

Now take that, and scale it wayyy up in terms of technowords and cryptography and a bunch of smart people have said "this is secure" and then a bunch of smarter people still said "uhhh no it's not, here's a way to theoretically make two different files have the same number" and then a bunch of even smarter people said "look at these two different files that have the same hash"

 

There's always someone smarter than you, which is why you don't roll your own crypto *cough* ^telegram *cough* but that's a topic for another day.

How many five year olds do you know that would understand that explanation?

[ionbasa]

On ‎2‎/‎24‎/‎2017 at 3:44 AM, potoooooooo said:

How many five year olds do you know that would understand that explanation?

There's always my explanation right above his.