A SHA-1 freestart collision has occurred



  • Ars article: http://arstechnica.com/security/2015/10/sha1-crypto-algorithm-securing-internet-could-break-by-years-end/

    With the IV 50 6b 01 78 ff 6d 18 90 20 22 91 fd 3a de 38 71 b2 c6 65 ea, this message:

    9d 44 38 28 a5 ea 3d f0 86 ea a0 fa 77 83 a7 36 33 24 48 4d af 70 2a aa a3 da b6 79 d8 a6 9e 2d 54 38 20 ed a7 ff fb 52 d3 ff 49 3f c3 ff 55 1e fb ff d9 7f 55 fe ee f2 08 5a f3 12 08 86 88 a9
    

    has a SHA-1 hash of f0 20 48 6f 07 1b f1 10 53 54 7a 86 f4 a7 15 3b 3c 95 0f 4b.

    With the IV 50 6b 01 78 ff 6d 18 91 a0 22 91 fd 3a de 38 71 b2 c6 65 ea, this message:

    3f 44 38 38 81 ea 3d ec a0 ea a0 ee 51 83 a7 2c 33 24 48 5d ab 70 2a b6 6f da b6 6d d4 a6 9e 2f 94 38 20 fd 13 ff fb 4e ef ff 49 3b 7f ff 55 04 db ff d9 6f 71 fe ee ee e4 5a f3 06 04 86 88 ab
    

    has a SHA-1 hash of f0 20 48 6f 07 1b f1 10 53 54 7a 86 f4 a7 15 3b 3c 95 0f 4b.

    (Note 90 20 vs 91 a0 in the IVs.)


    The researchers estimate that computing a real collision - one without different IVs - would cost between $75,000 and $120,000 on Amazon EC2 over a few months. This is within the resources of organized crime today.


    If you are having trouble recognizing how this is a problem, check your browser's CA store for a subordinate certificate authority from "MD5 Collisions, Inc." issued by Equifax.



  • Interesting. I don't understand the attack vector. Does increasing the key size help?



  • No, the attack is this:

    • Create two certificates that hash to the same SHA-1 value, except one is marked as a sub-CA
    • Get the first one signed by a CA
    • Apply the signature you received in the certificate to the second one
    • You are now in control of a valid CA certificate

    The only fix is to ditch SHA1, like we did with MD5 in 2011.

    Also wow this Discourse server is so underpowered, it's so terrible here compared to everywhere else.



  • @Captain said:

    I don't understand the attack vector

    Replacing binaries with malicious binaries without invalidating the digital signature.



  • This post is deleted!


  • @riking said:

    check your browser's CA store

    You mean "hardcoded revocation list" :wink:


  • SockDev

    @riking said:

    Also wow this Discourse server is so underpowered, it's so terrible here compared to everywhere else.

    why do you think http://servercooties.io/#graph is a thing.

    also performance used to be much better. we seem to inexplicably lose performance round about the same time we upgrade our discourse install......



  • @riking said:

    Also wow this Discourse server is so underpowered, it's so terrible here compared to everywhere else.

    It's a forum, it shouldn't need a particularly powerful server with the amount of activity we have here.
    Except, Discourse...



  • I should of known what the spin me baby button would do but I clicked it anyway.

    1. how likely are you to produce a binary with the exact same hash as an another binary and then compromise an offical mirror long enough to get it on enough computers to collect a significant amount of data to ransom without breaking the bank?
    2. when was the last time you saw a sha-1 hashcode for a binary from an offical mirror? I suppose the better question is who actualy checks the binarys that they down? I know we do it but there are security reasons for that. Mostly the IT manager. I've don't think I've ever done it on any of my personal computers...


  • @DogsB said:

    how likely are you to produce a binary with the exact same hash as an another binary and then compromise an offical mirror long enough to get it on enough computers to collect a significant amount of data to ransom without breaking the bank?

    You don't need to get it on the mirror - you just need to get control of any device between the browser and the mirror.

    @DogsB said:

    when was the last time you saw a sha-1 hashcode for a binary from an offical mirror?

    Every Windows Update I've seen used SHA1. Being able to add your malware to files that are auto-installed on 90% of the computers on the Internet sounds pretty handy to me.


  • SockDev

    @DogsB said:

    I should of known what the spin me baby button would do but I clicked it anyway.

    i think that button was @onyx's idea.

    might have been @raceprouk's idea.....

    one of them i'm pretty sure.

    did you manage to click the button a second time? because the button's a toggle. :-P



  • @Jaime said:

    Every Windows Update I've seen used SHA1. Being able to add your malware to files that are auto-installed on 90% of the computers on the Internet sounds pretty handy to me.

    Keep in mind, this isn't producing a SHA1 file with a given hash - we can't do that with MD5 either right now - but producing two new files with the same hash.



  • @accalia said:

    did you manage to click the button a second time?

    Hitting Space does that quite easily ;)


  • SockDev

    @loopback0 said:

    @accalia said:
    did you manage to click the button a second time?

    Hitting Space does that quite easily ;)

    CHEATER!

    /me makes a note to automatically move focus when the button is activated to prevent that trick in future.


  • Winner of the 2016 Presidential Election Banned

    Mwaha! I got it.



  • @accalia said:

    /me makes a note to automatically move focus when the button is activated to prevent that trick in future.

    Meh, there are other tricks :imp:


  • SockDev

    @loopback0 said:

    @accalia said:
    /me makes a note to automatically move focus when the button is activated to prevent that trick in future.

    Meh, there are other tricks :imp:

    CHEATER McCHEATERSON!



  • @loopback0 said:

    there are other tricks

    like NOT clicking the damn button?



  • @Luhmann said:

    @loopback0 said:
    there are other tricks

    like NOT clicking the damn button?

    Oh WELL DONE BELCHY. Now @accalia's going to make the button press itself to avoid that.


  • SockDev

    @loopback0 said:

    Now @accalia's going to make the button press itself to avoid that.

    but only when you won't press the button yourself.



  • @accalia said:

    @loopback0 said:
    Now @accalia's going to make the button press itself to avoid that.

    but only when you won't press the button yourself.

    Or the other way around ...

    At random



  • How about you have to press the button to prevent it, and the button dances around on the screen like a 1995 joke application?



  • challenge accepted.

    @Jaime said:

    You don't need to get it on the mirror - you just need to get control of any device between the browser and the mirror.

    @Jaime said:
    Every Windows Update I've seen used SHA1. Being able to add your malware to files that are auto-installed on 90% of the computers on the Internet sounds pretty handy to me.

    A) good luck with that. Probably easier that I think... B) we have yet to produce a binary with the exact same hash.


  • area_deu



  • @riking said:

    Also wow this Discourse server is so underpowered, it's so terrible here compared to everywhere else.

    It's completely overpowered for the level of service we receive.


  • Discourse touched me in a no-no place

    @riking said:

    Also wow this Discourse server is so underpowered, it's so terrible here compared to everywhere else.

    It's a Digital Ocean droplet - the sort of thing that Jeff recommends..


  • SockDev

    we are on the official recommended hardware,

    i think we might be on bigger than that actually.... didn't we upgrade to 4GB when we switched servers?


  • Discourse touched me in a no-no place

    @accalia said:

    i think we might be on bigger than that actually....

    root@what:~# free -m; echo;  df -h; echo; grep proc /proc/cpuinfo 
                 total       used       free     shared    buffers     cached
    Mem:          3953       3844        109       1042          7       1508
    -/+ buffers/cache:       2328       1625
    Swap:         1023        137        886
    
    Filesystem      Size  Used Avail Use% Mounted on
    /dev/vda         59G   37G   20G  67% /
    none            4.0K     0  4.0K   0% /sys/fs/cgroup
    udev            2.0G   12K  2.0G   1% /dev
    tmpfs           396M  320K  396M   1% /run
    none            5.0M     0  5.0M   0% /run/lock
    none            2.0G  712K  2.0G   1% /run/shm
    none            100M     0  100M   0% /run/user
    
    processor	: 0
    processor	: 1
    root@what:~# 
    

  • SockDev

    yep. that's a 4GB instance....

    so either there is somethign quite wrong with our server that needs professional looking at (doubt it, we had sam in there often enough) or that install guide is out of date

    well i say out of date. @codinghorror last updated those recommendations 16 days ago....

    yeah.


  • Discourse touched me in a no-no place

    For amusement:

    root@what:~# uptime
     07:42:50 up 49 days, 13:43,  1 user,  load average: 3.12, 2.48, 2.19
    

  • SockDev

    well that's our problem then....

    we're CPU bound.

    we have 2 CPUs so our load average can go as high as 2 before we start getting CPU contention.

    if our 15 minute average is over 2, and regularly staying there...

    hmm.... it's almost as if what discourse needs is some serious optimization.....



  • Digital Ocean droplets are quite nice. I mean they're just VPSes with a pretty name but they have some nice management tools. Kinda like EC2 but with a lot less hassle to deploy.


  • Discourse touched me in a no-no place

    @accalia said:

    hmm.... it's almost as if what discourse needs is some serious optimization.....

    It's message board software. It shouldn't be using that much CPU.

    root@what:~# ps aux | sort -nk10 | tail -n15
    pjh       4442 14.6  6.0 1071028 242924 ?      Sl   07:11   5:14 unicorn worker[0] -E production -c config/unicorn.conf.rb                                           
    pjh       4451 14.8  5.9 1072028 242476 ?      Sl   07:11   5:18 unicorn worker[1] -E production -c config/unicorn.conf.rb                                           
    pjh       4459 14.8  6.1 1215388 250364 ?      Sl   07:11   5:19 unicorn worker[2] -E production -c config/unicorn.conf.rb                                           
    pjh       4475 14.6  5.8 1158044 238168 ?      Sl   07:11   5:13 unicorn worker[3] -E production -c config/unicorn.conf.rb                                           
    root      133  0.0  0.0      0     0 ?        S    Aug20   6:04 [jbd2/vda-8]
    root      1021  0.0  0.0  19184   364 ?        Ss   Aug20   7:41 /usr/sbin/irqbalance
    ossec     1030  0.0  0.0  17376   400 ?        S    Aug20   8:43 /var/ossec/bin/ossec-agentd
    root      1044  0.0  0.0   5348     0 ?        S    Aug20  28:58 /var/ossec/bin/ossec-syscheckd
    root       754  0.0  0.1 1154844 7804 ?        Ssl  Aug20  32:50 /usr/bin/docker -d
    root        17  0.1  0.0      0     0 ?        S    Aug20  85:03 [ksoftirqd/1]
    root         3  0.1  0.0      0     0 ?        S    Aug20  86:09 [ksoftirqd/0]
    root         8  0.1  0.0      0     0 ?        S    Aug20 111:11 [rcuos/0]
    root         9  0.1  0.0      0     0 ?        S    Aug20 111:10 [rcuos/1]
    root        35  0.2  0.0      0     0 ?        S    Aug20 176:32 [kswapd0]
    root         7  0.4  0.0      0     0 ?        S    Aug20 328:01 [rcu_sched]
    root@what:~# 
    

  • SockDev

    indeed it should not be using that much CPU.

    :wtf:



  • Jesus, I'm glad to see someone gets it...This is bad, but not catastrophic. See: http://cstheory.stackexchange.com/questions/585/what-is-the-difference-between-a-second-preimage-attack-and-a-collision-attack

    While SHA1 collisions are bad they are nowhere near as bad as (second) preimage attacks, which is what you'd be concerned about. SHA-1 is still secure against these now and should be for the foreseeable future. It's still a good idea to migrate to SHA2 (or, better yet, SHA3 if your libs support it).



  • @accalia said:

    so either there is somethign quite wrong with our server

    It's running Discourse.



  • Christ. I wonder what wordpress is like.


  • SockDev

    @DogsB said:

    Christ. I wonder what wordpress is like.

    huh...

    "Do what i say not what i do" indeed....

    -_-


  • Discourse touched me in a no-no place

    @accalia said:

    also performance used to be much better. we seem to inexplicably lose performance round about the same time we upgrade our discourse install......

    Yeah "inexplicably" :rolleyes:


  • SockDev

    @DoctorJones said:

    @accalia said:
    also performance used to be much better. we seem to inexplicably lose performance round about the same time we upgrade our discourse install......

    Yeah "inexplicably" :rolleyes:

    was i that unsubtle?


  • Discourse touched me in a no-no place

    @PJH said:

    It's message board software. It shouldn't be using that much CPU.

    Not just that, but it's an SPA. CPU load is being offloaded to the client!

    How the fuck are they managing to hit the server so hard? :wtf:


  • SockDev

    @DoctorJones said:

    How the fuck are they managing to hit the server so hard? :wtf:

    Have you actually LOOKED at the source code for discourse?

    or the database?

    or all the moving pieces that make up that docker image they provide?


  • Discourse touched me in a no-no place

    No, thank you very much. I value my sanity ;-)


  • SockDev

    @DoctorJones said:

    No, thank you very much. I value my sanity ;-)

    pity.... i wanted to share my pain.

    if you look at the source and the DB it wqill quickly become apparent why there's performance issues.



  • @riking said:

    Keep in mind, this isn't producing a SHA1 file with a given hash - we can't do that with MD5 either right now - but producing two new files with the same hash.

    Yes, MD5 is still technically safe for some purposes, but the general philosophy in cryptography is "never risk it". We have so many encryption and hashing algorithms that it's better to throw them away at the first sign of problems.


  • area_deu

    @anonymous234 said:

    Yes, MD5 is still technically safe for some purposes, but the general philosophy in cryptography is "never risk it". We have so many encryption and hashing algorithms that it's better to throw them away at the first sign of problems.

    Not to forget, who knows how far competing secretly-operating teams are ...



  • I think it's mostly database.



  • Yes, do not create new systems using broken primitives, but existing systems have time to be upgraded (no need to run around with your hair on :fire:).



  • @accalia said:

    Have you actually LOOKED at the source code for discourse?

    I tried once, but instead of a github URL they gave me a special VM configured to open a browser pointing at the github URL.

    They said it's much easier this way because I don't have to do it myself.



  • But what if it is?


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.