W3C home > Mailing lists > Public > public-webpayments@w3.org > March 2013

Re: Some possible attacks on SHA1

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sun, 31 Mar 2013 17:32:33 +0200
Message-ID: <CAKaEYhKSwjavpsHwVTt2hRBSMDd7QNQ2dzTX164zj0oUhQc+JQ@mail.gmail.com>
To: David Wood <david@3roundstones.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, Web Payments <public-webpayments@w3.org>
On 31 March 2013 17:11, Melvin Carvalho <melvincarvalho@gmail.com> wrote:

>
>
>
> On 7 October 2012 05:14, David Wood <david@3roundstones.com> wrote:
>
>> Wikipedia has a decent description of the status and issues with SHA-1:
>>   https://en.wikipedia.org/wiki/SHA-1
>>
>
> FTA
>
> [[
> As of 2012, the most efficient attack against SHA-1 is considered to be
> the one by Marc Stevens with an estimated cost of $2.77M to break a single
> hash value by renting CPU power from cloud servers.[29]<https://en.wikipedia.org/wiki/SHA-1#cite_note-29>Stevens developed this attack in a project called HashClash,
> [30] <https://en.wikipedia.org/wiki/SHA-1#cite_note-30> implementing a
> differential path attack. On 8 November 2010, he claimed he had a fully
> working near-collision attack against full SHA-1 working with an estimated
> complexity equivalent to 257.5 SHA-1 compressions. He estimates this
> attack can be extended to a full collision with a complexity around 261.
> ]]
>
> It's interesting to note that bitcoin was based on the HashCash proof of
> work system.
>
> With the advent of afordable ASICs capable of 60 trillion hashes per
> second ,and bitcoin mining pools that number in the 10s of thousands, I'm
> unsure that SHA1 will last too long.
>

Perhaps also worth noting is that git uses SHA-1

Adding a nonce in a comment could produce an attack surface on modified
source code.


>
>
>>
>> Regards,
>> Dave
>>
>>
>>
>>
>> On Oct 6, 2012, at 23:10, Manu Sporny <msporny@digitalbazaar.com> wrote:
>>
>> On 10/05/2012 04:35 PM, Melvin Carvalho wrote:
>>
>> This article shows that attacks could be feasible by 2018
>> http://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
>>
>>
>> Thanks for the heads-up Melvin. We examined the attack, and while we
>> don't agree with Schneier's assertion about the financial cost of using
>> an AWS-like system to mount an attack on SHA-1, we do agree that the
>> possibility exists within the next decade.
>>
>> This affects the PaySwarm specs, specifically the digital signature
>> algorithm for signed JSON-LD messages. We explored the idea that we
>> could greatly reduce the SHA-1 attack by injecting the length of the
>> message in the generation of the digital signature, but instead chose to
>> upgrade the spec requirements to SHA-256.
>>
>> SHA-256 has no known theoretical attack at present, nor is a brute-force
>> attack on the algorithm known to exist that can be accomplished in the
>> near term (less than 10 years into the future). As with all things
>> crypto-related, this may change tomorrow, but SHA-256 seems to be the
>> right solution today. SHA-3 is too new, but I expect that we will
>> eventually end up using it.
>>
>> Dave Longley has already committed the changes to the production
>> PaySwarm code. We'll push the changes to the dev.payswarm.com site soon.
>> The PHP WordPress PaySwarm client was updated today:
>>
>>
>> https://github.com/digitalbazaar/payswarm-wordpress/commit/0e0be20f20508998d04c95dc4a3009cd2e176a01
>>
>> as well as the JavaScript PaySwarm client:
>>
>>
>> https://github.com/digitalbazaar/payswarm.js/commit/b8f2ce880c8858b27fad3d572350a22243d85aa3
>>
>> -- manu
>>
>> --
>> Manu Sporny (skype: msporny, twitter: manusporny)
>> President/CEO - Digital Bazaar, Inc.
>> blog: The Problem with RDF and Nuclear Power
>> http://manu.sporny.org/2012/nuclear-rdf/
>>
>>
>>
>
Received on Sunday, 31 March 2013 15:33:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:22 UTC