We have computed the very first chosen-prefix collision for SHA-1. To put it in another way: all attacks that are practical on MD5 are now also practical on SHA-1.
We have reduced the cost of a collision attack from 2^64.7 to 2^61.2, and the cost of a chosen-prefix collision attack from 2^67.1 to 2^63.4.
Demo: The legacy branch of GnuPG (version 1.4) is vulnerable. We have created two PGP keys with different UserIDs and colliding certificates.
@niconiconi
I'm confused. It says this is the first ever chosen prefix collision attack, but also that the performance improvement is only a factor of 10; that is a big improvement, but not big enough to consider something to be in shambles when it wasn't before. Or am I just unaware that SHA-1 is already considered rather insecure.
@philipwhite
You're unaware. Sha 1 has been considered "not safe future use" for some time now.
@niconiconi
@niconiconi @ScriptFanix @philipwhite "should have been retired long ago". A lot of times the weaker algorithms are simply being used to detect transfer errors or benign accidental changes instead of malicious intent. Heck, it took me a decade to get the company I work at to move away from identifying file revisions by timestamps.