[cabfpub] Posted on behalf of customer
gerv at mozilla.org
Fri Dec 16 14:22:16 UTC 2016
On 13/12/16 21:40, Ryan Sleevi via Public wrote:
> I understand the desire to remove SHA-1 before it has actually shown
> true weakness.
"The cost of the attack will be approximately:
2^13 * 28.4 = 221.4 ~ $2.77M in 2012
2^11 * 28.4 = 219.4 ~ $700K by 2015
2^9 * 28.4 = 217.4 ~ $173K by 2018
2^7 * 28.4 = 215.4 ~ $43K by 2021
A collision attack is therefore well within the range of what an
organized crime syndicate can practically budget by 2018, and a
university research project by 2021.
Since this argument only takes into account commodity hardware and not
instruction set improvements (e.g., ARM 8 specifies a SHA-1
instruction), other commodity computing devices with even greater
processing power (e.g., GPUs), and custom hardware, the need to
transition from SHA-1 for collision resistance functions is probably
more urgent than this back-of-the-envelope analysis suggests."
If I were going to calculate a SHA-1 collision, the certificate of a
machine handling tens or hundreds of thousands of credit cards a day
would be a reasonably obvious target, ISTM.
More information about the Public