Imminent Collisions for SHA-1? at Robert Pogson

A discussion has broken out about when the defeat of SHA-1 hashing will happen. That’s “when”, not “if”, because it’s just a matter of time and the growth of computing resources or the decline in the price of computing resources that matter. The method of attack is already known. If a better attack develops the defeat could come in just a few years bringing unprecedented chaos to IT. Rather than having to buy computing resources, the bad guys can just rent a botnet and have a million PCs doing what they want at any time. That means the bad guys will win if we do nothing.

Should we hedge our bets and use a variety of hashes so that whichever one is defeated first can just be dropped with minimal problems? Should we require simultaneous checks with multiple hashes? That would seem to make finding a collision more difficult. The first crack of SHA-1 is extremely unlikely to simultaneously collide with MD-5.

“A collision attack is therefore well within the range of what an organized crime syndicate can practically budget by 2018, and a university research project by 2021.”

see Schneier on Security: When Will We See Collisions for SHA-1?.

My Mission

My observations and opinions about IT are based on 40 years of use in science and technology and lately, in education. I like IT that is fast, cost-effective and reliable. I do not care whether my solution is the same as yours. I like to think for myself.

My first use of GNU/Linux in 2001 was so remarkably better than what I had been using, I feel it is important work to share GNU/Linux with the world. I have been blessed by working in schools where students and school systems have benefited by good, modular software easily installed in most systems.

I have shown GNU/Linux to thousands of students and hundreds of teachers over the years and will continue in some way doing that until I die in spite of the opposition.