nanog mailing list archives
Re: SHA1 collisions proven possisble
From: Tei <oscar.vives () gmail com>
Date: Fri, 24 Feb 2017 13:16:38 +0100
On 23 February 2017 at 20:59, Ca By <cb.list6 () gmail com> wrote:
On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder <shortdudey123 () gmail com> wrote:Coworker passed this on to me. Looks like SHA1 hash collisions are now achievable in a reasonable time period https://shattered.io/ -GrantGood thing we "secure" our routing protocols with MD5 :)
One place that use sha1 seems to be some banking gateways. They sign the parameters of some request to authentificate the request has a valid one doing something like "sha1( MerchantID . secureCode . TerminalID . amount . exponent . moneyCode )". I have no idea how evil people would exploit collisions here, but I guest banking will move to the next hash algorithm (sha256?) and deprecate this one. This may affect more "Mom and Pa Online Shop" than bigger services. -- -- ℱin del ℳensaje.
Current thread:
- Re: SHA1 collisions proven possisble, (continued)
- Re: SHA1 collisions proven possisble Matt Palmer (Feb 26)
- RE: SHA1 collisions proven possisble Keith Medcalf (Feb 26)
- RE: SHA1 collisions proven possisble Jon Lewis (Feb 27)
- Re: SHA1 collisions proven possisble valdis . kletnieks (Feb 27)
- Re: SHA1 collisions proven possisble Patrick W. Gilmore (Feb 26)
- Re: SHA1 collisions proven possisble Eitan Adler (Feb 26)
- Re: SHA1 collisions proven possisble Randy Bush (Feb 27)
- Re: SHA1 collisions proven possisble Matt Palmer (Feb 26)
- Re: SHA1 collisions proven possisble valdis . kletnieks (Feb 27)
- Re: SHA1 collisions proven possisble Chris Adams (Feb 27)