We have computed the very first chosen-prefix collision for SHA-1. To put it in another way: all attacks that are practical on MD5 are now also practical on SHA-1.
We have reduced the cost of a collision attack from 2^64.7 to 2^61.2, and the cost of a chosen-prefix collision attack from 2^67.1 to 2^63.4.
Demo: The legacy branch of GnuPG (version 1.4) is vulnerable. We have created two PGP keys with different UserIDs and colliding certificates.
@niconiconi
I'm confused. It says this is the first ever chosen prefix collision attack, but also that the performance improvement is only a factor of 10; that is a big improvement, but not big enough to consider something to be in shambles when it wasn't before. Or am I just unaware that SHA-1 is already considered rather insecure.
@philipwhite
You're unaware. Sha 1 has been considered "not safe future use" for some time now.
@niconiconi
@ScriptFanix @philipwhite SHA-1 is considered academically problematic since 2005 (security claim reduced from 2^80 to 2^69), with better and better attacks coming out every year. https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
In the ideal world, SHA-1 should've been long retired. Bruce Schneier was arguing for its retirement since 2004... https://www.schneier.com/essays/archives/2004/08/cryptanalysis_of_md5.html
@niconiconi @ScriptFanix @philipwhite "should have been retired long ago". A lot of times the weaker algorithms are simply being used to detect transfer errors or benign accidental changes instead of malicious intent. Heck, it took me a decade to get the company I work at to move away from identifying file revisions by timestamps.
