Jump to content
Not connected, Your IP: 18.188.110.150
AirVPN
rebellatio

Encryption algorithm solved.

By rebellatio, ... in Off-Topic

Recommended Posts

zhang888    1066

zhang888
Posted ...

SHA1 is a hashing and not an encryption algorithm.

The impact of this collision attack is mainly forging file signatures, and it cannot be applied as a network attack to modify or inject traffic into VPN sessions.

HMAC-SHA1 is not vulnerable to this as well.

Wolf666, OmniNegro and go558a83nk reacted to this

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

OmniNegro    155

OmniNegro
Posted ...

As Zhang said, There is no problem. For those who do not already know, HMAC is a hash applied to the SHA1 hash. And it is done for each and every packet. Your system, even on a slow dial up modem uses a packet for every 1500 bytes or so. So in order to defeat HMAC-SHA1 you would have to not only break it in milliseconds, but also defy the laws of physics to get your fake packet there before the real one.

 

And let us see how long it takes a whole array of supercomputers to break SHA1 alone?

https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

Here is the important part to note.

  • Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
  • 6,500 years of CPU computation to complete the attack first phase
  • 110 years of GPU computation to complete the second phase

That is to do JUST ONE SINGLE hash. Not to break every hash SHA1 can do. That is one. And this absolutely cannot be done before the relevant packet is done and gone forever.

 

You are safe. Relax.

Blade Runner, adfdsfGYYy53 and Ricnvolved1956 reacted to this

Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post

Link to post

greenclaydog    6

greenclaydog
Posted ...

5377a7cdccbdeb10b4687e93223fbacfff8d6ae7

 

To be fair, more security would not hurt anyone (I think?) 

 

Reading up on it, this was Google's push to get websites away from SHA1

 

We probably have no reason for concern but...

 

*tin foil hat on*

What Google can do, the NSA might be able to do better

*tin foil hat off* 

rebellatio reacted to this

Share this post

Link to post

Staff    9972

Staff
Posted ...

Hello,

the following paper is extremely important, because provides mathematical proof that HMAC is a PRF under the sole assumption that the compression function is a PRF. As long as the assumption holds true, as it is until now, after 10 years the paper was written, there is really no reasonable argumentation to grade "security" of HMAC SHA2 over HMAC SHA1. Or even HMAC MD5!

https://cseweb.ucsd.edu/~mihir/papers/hmac-new.pdf

Kind regards

Wolf666, OmniNegro and Blade Runner reacted to this

Share this post

Link to post
Guest
This topic is now closed to further replies.
Go To Topic Listing
×
×
  • Create New...