[cabfpub] The Shappening: freestart collisions for SHA-1 (was Re: Ballot 152 - Issuance of SHA-1 certificates through 2016)

Erwann Abalea erwann.abalea at opentrust.com
Thu Oct 8 10:30:33 UTC 2015

Was just reading it. The complete (80 rounds) SHA1 compression function is broken.

Some could argue that we still have a small security margin because of the choice of IV, or the difference in work factor between collision and choosen-prefix collision, etc.

It took too many years to get rid of MD5 (at least 7 years after collision were publicly demonstrated). Let’s do things better with SHA1.

Erwann Abalea

> Le 8 oct. 2015 à 12:16, Rob Stradling <rob.stradling at comodo.com> a écrit :
> Is Ballot 152 dead yet?
> https://sites.google.com/site/itstheshappening/
> "Our recommendations
> We recommend that SHA-1 based signatures should be marked as unsafe much 
> sooner than prescribed by current international policy. Even though 
> freestart collisions do not directly lead to actual collisions for 
> SHA-1, in our case, the experimental data we obtained in the process 
> enable significantly more accurate projections on the real-world cost of 
> actual collisions for SHA-1, compared to previous projections. 
> Concretely, we estimate the SHA-1 collision cost today (i.e., Fall 2015) 
> between 75K$ and 120K$ renting Amazon EC2 cloud computing over a few 
> months. By contrast, security expert Bruce Schneier previously projected 
> the SHA-1 collision cost to be ~173K$ by 2018. Note that he deems this 
> to be within the resources of a criminal syndicate. Large corporations 
> and governments may possess even greater resources and may not require 
> Amazon EC2. Microsoft, Google and Mozilla have all announced that their 
> respective browsers will stop accepting SHA-1 based SSL certificates by 
> 2017 (and that SHA-1-based certificates should not be issued after 
> 2015). In conclusion, our estimates imply SHA-1 collisions to be now 
> (Fall 2015) within the resources of criminal syndicates, two years 
> earlier than previously expected and one year before SHA-1 will be 
> marked as unsafe in modern Internet browsers. This motivates our 
> recommendations for industry standard SHA-1 to be retracted as soon as 
> possible. With our new cost projections in mind, we strongly and 
> urgently recommend against a recent proposal to extend the issuance of 
> SHA-1 certificates with a year in the CAB/forum (discussion closes 
> October 9 2015, vote closes October 16)."
> On 06/10/15 16:23, Dean Coclin wrote:
>> Yes, Ryan is correct. Nonetheless, I am going to add it to the agenda
>> for this week’s meeting.
>> Dean
>> *From:*public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>> *On Behalf Of *Ryan Sleevi
>> *Sent:* Tuesday, October 06, 2015 9:25 AM
>> *To:* Jeremy Rowley
>> *Cc:* Rick Andrews; public at cabforum.org
>> *Subject:* Re: [cabfpub] Ballot 152 - Issuance of SHA-1 certificates
>> through 2016
>> On Mon, Oct 5, 2015 at 10:02 PM, Jeremy Rowley
>> <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com>> wrote:
>> Also  - a point of order on this, but I thought all ballots needed one
>> telephone call or face to face before they could be started?  Did that
>> change?
>> That was never required by the bylaws. While a good idea to gauge as a
>> bellwether for the likeliness of the ballot to succeed, any member may
>> propose a ballot at any time, so long as requisite number of co-sponsors
>> is found, adequate time is given for review and voting, and that review
>> and voting is clearly indicated in the ballot.
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
> -- 
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> Office Tel: +44.(0)1274.730505
> Office Fax: +44.(0)1274.730909
> www.comodo.com
> COMODO CA Limited, Registered in England No. 04058690
> Registered Office:
>   3rd Floor, 26 Office Village, Exchange Quay,
>   Trafford Road, Salford, Manchester M5 3EQ
> This e-mail and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they are 
> addressed.  If you have received this email in error please notify the 
> sender by replying to the e-mail containing this attachment. Replies to 
> this email may be monitored by COMODO for operational or business 
> reasons. Whilst every endeavour is taken to ensure that e-mails are free 
> from viruses, no liability can be accepted and the recipient is 
> requested to use their own virus checking software.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list