SHAttered — SHA-1 is broken in

A team from Google and CWI Amsterdam just announced it: they produced the first SHA-1 hash collision. The attack required over 9,223,372,036,854,775,808 SHA-1 computations, the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations. While this may seem overwhelming, this is a practical attack if you are, lets say, a state-sponsored attacker. Or if you control a large enough botnet. Or if you are just able to spend some serious money on cloud computing. It’s doable. Make no mistake, this is not a brute-force attack, that would take around 12,000,000 single-GPU years to complete.

SHA-1 is a 160bit standard cryptographic hash function that is used for digital signatures and file integrity verification in a wide range of applications, such as digital certificates, PGP/GPG signatures, software updates, backup systems and so forth. It was, a long time ago, proposed as a safe alternative to MD5, known to be faulty since 1996. In 2004 it was shown that MD5 is not collision-resistant and not suitable for applications like SSL certificates or digital signatures. In 2008, a team of researchers demonstrated how to break SSL based on MD5, using 200 Playstations 3.

Early since 2005 theoretical attacks against SHA-1 were known. In 2015 an attack on full SHA-1 was demonstrated (baptized the SHAppening). While this did not directly translate into a collision on the full SHA-1 hash function due to some technical aspects, it undermined the security claims for SHA-1. With this new attack, dubbed SHAttered, the team demonstrated a practical attack on the SHA-1 algorithm, producing two different PDF files with the same checksum.

The full working code will be released in three months, following Google’s vulnerability disclosure policy, and it will allow anyone to create a pair of PDFs that hash to the same SHA-1 sum given two distinct images and some, not yet specified, pre-conditions.

For now, recommendations are to start using SHA-256 or SHA-3 on your software. Chrome browser already warns if a website has SHA-1 certificate, Firefox and the rest of the browsers will surely follow. Meanwhile, as always, tougher times are ahead for legacy systems and IoT like devices.

25C3: Hackers completely break SSL using 200 PS3s

A team of security researchers and academics has broken a core piece of internet technology. They made their work public at the 25th Chaos Communication Congress in Berlin today. The team was able to create a rogue certificate authority and use it to issue valid SSL certificates for any site they want. The user would have no indication that their HTTPS connection was being monitored/modified.

Continue reading “25C3: Hackers completely break SSL using 200 PS3s”

Recent news followup

Last week we talked about a single rumored arrest over the OiNK torrent tracker. Since then, there’s been a confirmed report of 6 arrests. The arrests appear to be the result of users uploading pre-release music to the now defunct site. For some time, police have had access to the OiNK user records minus the passwords which are thought to be stored as a salted MD5 hash. It seems British authorities can force these individuals to reveal passwords under something called the Regulation of Investigatory Powers Act.

The Phoenix Mars Lander (pictured above) has found what might be a large piece of ice directly underneath it. This week the lander will scoop up a sample, melt its contents and test the various gases it releases. Twitter users can watch the mission’s progress in semi real time by following the MarsPhonix account. Lastly it looks like the official website for this mission was defaced through a SQL injection attack.

We already reported the world’s largest GPS drawing as a hoax. It has however inspired a few to look closer at the concept of position based art and others have already created authentic works. Our friends over at BoingBoing even made a little flash application to create your own “Unimpressive GPS Art“. Upon hearing of the hoax we were quick to draw up a brand new proposal for DHL using Google maps.