Three years ago, Ars declared the SHA1 cryptographic hash algorithm officially dead after researchers performed the world's first known instance of a fatal exploit known as a “collision” on it. On Tuesday, the dead SHA1 horse got clobbered again as a different team of researchers unveiled a new attack that's significantly more powerful. The new collision gives attackers more options and flexibility than were available with the previous technique. It makes it practical to create PGP encryption keys that, when digitally signed using SHA1 algorithm, impersonate a chosen target. More generally, it produces the same hash for two or more attacker-chosen inputs by appending data to each of them. The attack unveiled on Tuesday also costs as little as $45,000 to carry out. The attack disclosed in 2017, by contrast, didn't allow forgeries on specific predetermined document prefixes and was evaluated to cost from $110,000 to $560,000 on Amazon's Web Services platform, depending on how quickly adversaries wanted to carry it out. The new attack is significant. While SHA1 has been slowly phased out over the past five years, it remains far from being fully deprecated. It's still the default hash function for certifying PGP keys in the legacy 1.4… Read full this story
- PGP Me: Pretty Good Privacy Explained
- New Vulnerabilities Illustrate Yet More Windows 10 Shortcomings
- The Dangers of iPhone Spy Software & How To Detect It
- Everything You Need to Know About WPA3 and Wi-Fi Security
- The Internet of (Medical) Things: Dangers, Risks, and Security Problems
- 6 Tips for Managing Privacy and Security Settings in iOS 12
- The Paranoid Conspiracy-Theorist’s Guide To Online Privacy & Security
- The 3 Most Secure and Encrypted Email Providers Online
- What Is the Most Secure Mainstream Browser?
- 8 Tips for Online Safety Used by Security Experts
PGP keys, software security, and much more threatened by new SHA1 exploit have 287 words, post on arstechnica.com at January 7, 2020. This is cached page on Vietnam Colors. If you want remove this page, please contact us.