back to article Crypto cadre cloud-cracks SHA-1 with just $75k of compute cost

A crypto cadre has busted the SHA-1 security standard after using $US75,000 of cloud computing resources, handily undercutting conservative crypto cracking estimates and putting such an attack within reach of well-resourced groups. The work brings forward the beginnings of the death knell for the widely-used hash function by …

  1. Big-nosed Pengie
    Headmaster

    "Compute" is a verb

    You're welcome.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Compute" is a verb

      Not if yore only semiliterate.

    2. Ken Hagan Gold badge

      Re: "Compute" is a verb

      ...but in English, all verbs can be nouned.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Compute" is a verb

        "...but in English, all verbs can be nouned."

        to go?

        to be?

        (I think "being" would really be stretching a point there.)

        1. Trevor_Pott Gold badge

          Re: "Compute" is a verb

          Go is a noun. I've heard it used as a replacement for "awesome". I.E. "That is very go." Typically used in the context of fast cars by the sorts of people who drive souped up Mazdas and drag race on city streets late at night. Increasingly common usage in Western Canada.

          "Go" has indeed been nouned.

          1. Michael Wojcik Silver badge

            Re: "Compute" is a verb

            Go is a noun. I've heard it used as a replacement for "awesome". I.E. "That is very go."

            I'm afraid that in that context it's being used as an adjective, not as a noun.

            I dare say that a sufficiently diligent search could turn up cases of it being used as an adverb, too, probably to modify an adjective in some creative context.

            It's probably reasonably safe to say that it's never used as a preposition. Maybe that will make the prescriptivists happy.

            (Of course I jest. Nothing makes prescriptivists happy, except complaining about other peoples' usage, which they generally - and incorrectly, by their own standards - refer to as "grammar".)

        2. Michael Wojcik Silver badge

          Re: "Compute" is a verb

          "...but in English, all verbs can be nouned."

          to go?

          "Thunderbirds are go!"

          "Have a go at it."

          The use of "go" as a noun is well established. Thanks for playing.

  2. Anonymous Coward
    Anonymous Coward

    The SHA* crap are the NSA pushed hash functions. The ciphers the NSA wish you to use to the exclusion of all others are a subset of Rijndael which they dubbed "AES"

    It would take more time to crack MD5 using current technology than the age of the universe, more memory than the number of atoms in the universe and enough energy to ionize the universe. Oops our bad. "Crypto is hard." It would take more time to crack SHA...

    "The researchers call on the tech industry to reject a proposal to extend the issuance of SHA-1 certificates by a year due to alleged difficulties in switch over to SHA-3."

    Quite.

    And meanwhile, NSA "NIST (honest!)" continues to pretend Whirlpool doesn't exist.

    Heck, Tiger pisses all over SHA FFS.

    Nothing has changed in twenty years.

    1. richardcox13
      FAIL

      > It would take more time to crack MD5 using current technology than[…]

      No, it is done, and has been done, repeatedly. Creating a second document with the same MD5 hash requires small resources. This is old news.

      Hence dropping support for MD5 in certificates across all crypto libraries.

      I suggest you update your crypto knowledge from the 90's.

      1. Damon Lynch

        > No, it is done, and has been done, repeatedly

        The post was highlighting that by pointing out that NSA originally said MD5 was super secure.

        1. Anonymous Coward
          Anonymous Coward

          >The post was highlighting that by pointing out that NSA originally said MD5 was super secure.

          Well someone "got it" so I can't have been too vague!

          ...pointing out that NSA originally said MD5 was super secure... just as the NSA went on to do with their "SHA" MD5 reboot... then SHA2... while resolutely ignoring and excluding all the other (better. NOT BROKEN) designs.

          YOU MUST USE THE ONE WE TELL YOU TO USE. YOU WILL ONLY USE THE ONE WE TELL YOU TO USE TO THE ABSOLUTE EXCLUSION OF ALL UNBROKEN OTHERS. NO WE WILL NOT PERMIT A SPEC WHICH PERMITS DIVERSITY - THAT WOULD BE TO COMPLICATED FOR "YOUR" PRETTY LITTLE HEADS. NO WE WILL NOT PERMIT A SPEC WHICH CEDES CIPHER SELECTION TO THE CLIENT. NO YOU MAY NOT COMBINE PRIMITIVES ARBITRARILY YOU WILL ONLY USE COMBINATIONS FROM THIS CAREFULLY CONTRIVED LIST. RESISTANCE IS FUTILE -teh nsa

          1. GrumpenKraut
            Facepalm

            > YOU MUST USE THE ONE WE TELL YOU TO USE. [...]

            Kindly stop talking out of your arse.

            1. Anonymous Coward
              Anonymous Coward

              >Kindly stop talking out of your arse.

              OK GK, I'd like to use rsa:serpent256:whirlpool with a fallback for the benefit heavily loaded servers with AES acceleration to ecdhe-ecdsa:aria256:gcm:whirlpool exclusively for all my secure connections. Please review the TLS RFCS then explain to me why that's IMPOSSIBLE. Then explain to me why it HAD to be that way. Then explain to me why there are NO non NSA(SHA) functions permitted by the "international" specs.

      2. Anonymous Coward
        Anonymous Coward

        >I suggest you update your crypto knowledge from the 90's.

        You don't say!

        I was deliberately paraphrasing the propaganda from the 90s as it is SO MUCH MORE meaningful and revealing TODAY. Hint: We knew it was a gross misrepresentation extrapolated from, with the sole intention of instilling, the frankly ridiculous ASSUMPTION that the designs the NSA wished us to use are MATHEMATICALLY PERFECT

        Moronic deceit then, moronic deceit NOW.

        1. Anonymous Coward
          Anonymous Coward

          > I was deliberately paraphrasing the propaganda from the 90s as it is SO MUCH MORE meaningful and revealing TODAY.

          Sure, you can believe in a conspiracy theory, or you can just believe in Moores law and accept that the attacks which are feasible now weren't feasible 25 years ago.

          Technology moves on, attacks become feasible today that weren't feasible then, so algorithms or key lengths get changed.

          > ASSUMPTION that the designs the NSA wished us to use are MATHEMATICALLY PERFECT

          I think you assumed that. No one else in the security industry did. The industry believes in "mathematically good enough, given available computer resources, and the value of the resources you are protecting". That's why RSA key lengths (which is a mathematically sound algorithm) keep getting longer (because processing power keeps going up).

          Security of crypto is not a boolean state, and never ever was, it's calculated risk management and available compute resource is part of that risk equation. If you believe that it's a boolean state then you're going to get burned.

          1. Anonymous Coward
            Anonymous Coward

            P.S. ... almost no one goes after the crypto maths - it's too hard when compared to the alternatives. Everyone just goes around and takes out the OS on either the sender or receiver end.

          2. Anonymous Coward
            Anonymous Coward

            >> I was deliberately paraphrasing the propaganda from the 90s as it is SO MUCH MORE meaningful and revealing TODAY.

            >Sure, you can believe in a conspiracy theory, or you can just believe in Moores law and accept that the attacks which are feasible now weren't feasible 25 years ago.

            Where's the conspiracy? This is all just one organisation working to fulfil its remit.

            Where's the theory? Since it obviously wasn't obvious to you at the time, Snowden has since EXPLAINED the process by which this was done. Exactly as I just explained it. Which was exactly as I explained it at the time. There's a hierarchy in governments. NSA always and inevitably takes precedence over NIST, libraries, meter maids, park rangers, etc. Why do you not comprehend this? Something ceases to be theoretical once it is proven.

            >Technology moves on, attacks become feasible today that weren't feasible then, so algorithms or key lengths get changed.

            I paraphrased the propaganda of the day slightly but how do you suppose Moore's observation can be used to explain something which would have taken a "well funded adversary enough energy to boil the oceans and longer than the time that's passed since the dinosaurs roamed the earth" twenty years ago (taking care to correctly quote the snake-oil proponents exact words) being plausible JUST TWENTY YEARS later?

            >> ASSUMPTION that the designs the NSA wished us to use are MATHEMATICALLY PERFECT

            >I think you assumed that. No one else in the security industry did.

            What? Are you intentionally misinterpreting me? That was how the salesmen calculated their "dinosaur" and "boil the oceans" claims which I (and many others) banged on about being moronic AT THE TIME. Just as I did above. I have never made such a claim, here or elsewhere. All I assumed was that their unproven assumption of mathematical perfection is erroneous which OF COURSE it is.

            >The industry believes in "mathematically good enough, given available computer resources, and the value of the resources you are protecting".

            Obviously. And it's that audience which the dinosaur and ocean boiling rhetoric was designed to (and did) impress. It doesn't sound like you were around then. You can still find references to all this on the web if you really believe I'm making it up.

            >That's why RSA key lengths (which is a mathematically sound algorithm) keep getting longer (because processing power keeps going up).

            Off we go with more of the moronic assumptions. "RSA is a mathematically sound algorithm" you assume incorrectly. It is not. No-one has ever proved its absolute security and I can't imagine anyone with sufficient knowledge in the field contemplating such an exercise. There are a couple of proofs of correctness of implementation but that's not the same thing at all. The key size recommendations are simply moved in step with the efficiency of the PUBLICLY KNOWN attacks alone. I'd recommend reading this for an excellent description of the situation.

            As for your postscript, you DO realise that's just MORE presumption, don't you? I notice you slipped in that "almost" at the beginning which looks suspiciously like an emergency exit. Or do you need some examples of practical cryptanalysis?

      3. Anonymous Coward
        Anonymous Coward

        MD5 cracked?

        It is easy to generate two documents with the same MD5 hash ("collision attack"). I don't think anyone has demonstrated generating a document with the same MD5 hash as a given document ("preimage attack").

        1. Cronus

          Re: MD5 cracked?

          Pre-image, no not that I'm aware of but chosen prefix? Yes. See this https://marc-stevens.nl/research/papers/EC07-SLdW.pdf for an attack on X.509 certificates and there has been limited success with collision attacks against executables.

        2. Michael Wojcik Silver badge

          Re: MD5 cracked?

          It is easy to generate two documents with the same MD5 hash ("collision attack"). I don't think anyone has demonstrated generating a document with the same MD5 hash as a given document ("preimage attack").

          As Cronus noted, the situation with MD5 is a bit more complex and serious than that, but the distinction remains important.

          Similarly, this latest attack is a freestart collision - basically, you get to choose the current state of the compressor and its next input, and you find two pairs of those things ({IV,input}1 and {IV,input}2) that have the same next output. It's a precursor to a full collision attack on SHA-1 and possibly a prefix-preimage attack like we have for MD5, but not necessarily to a full preimage attack.

          Collision attacks are very important for some uses of a cryptographic digest, and not at all relevant to other uses. This attack doesn't affect SHA-1's suitability for password hashing with PBKDF2 or a similar construction, for example.

    2. Anonymous Coward
      Anonymous Coward

      "The researchers call on the tech industry to reject a proposal to extend the issuance of SHA-1 certificates by a year due to alleged difficulties in switch over to SHA-3."

      Oops.. forgot to point and laugh at queer assumption we must all wait for NSA's SHA3 to be officially bestowed unto us before dumping it's SHA sham. Presumably they're not geared up for wholesale SHA2 pwnage yet. Budget pressures?

      Crapto. The real reason the US always so aggressively attacks any suggestion that the dreary, tedious duty of grand master of the internet should be transferred to an international body. It'll never happen. Not ever.

      All your interwebs are belong to NSA

  3. Anonymous Coward
    Windows

    US$75K to rent 60 GPUs for two weeks?

    That's over $1K per GPU. For about 2.5x times that, you can outright *buy* an equivalent system, using something like this little toy, taking less than 1/3rd of a rack overall:

    http://www.supermicro.com.tw/products/system/1U/1028/SYS-1028GQ-TR.cfm

    I know electricity and space do cost money, but one should be able to make this work with far less than $75K per collision.

    1. Anonymous Coward
      Anonymous Coward

      Re: US$75K to rent 60 GPUs for two weeks?

      Yes, you can. The two problems with that are (1) you need to have a place to install the hardware, installing it there, and someone on-hand that understands and performs the care and feeding. (2) You apparently have no idea how hard and how long it takes to accomplish step 1. Getting a cash grant and using "Cloud" is Heaven sent by comparison!!!

      1. Anonymous Coward
        Trollface

        Re: US$75K to rent 60 GPUs for two weeks?

        : (2) You apparently have no idea how hard and how long it takes to accomplish step

        Ah yes. Ad hominem is a time-honoured debating position here on El Reg.

        These days, installing, configuring, and maintaining a small, 15-node, 60-GPU computing cluster is a task routinely accomplished in countless research groups around the world by science undergraduates with no formal IT qualifications whatsoever.

        So yeah, I have no idea.

        1. Doctor_Wibble

          Re: US$75K to rent 60 GPUs for two weeks?

          On the other hand if you can be smart about how you split the CPU workload, you can do it in a whole mass of short computational fragments in everybody's web browser - just pretend you are an ad network with a bunch of crappily-written ad rotator scripts that just happen to look like complicated calculations, display an occasional punch-the-monkey picture and most people won't notice until it's far too late.

          And in any case, I think anyone who has seen the mess that is a typical ad script would understand the question 'how can you tell?'.

          [ and something in the back of my mind is telling me the above would not be the first time someone did the browser-cpu-stealing thing, it does seem familiar and dare I say it, a bit obvious ]

          1. druck Silver badge
            Happy

            Re: US$75K to rent 60 GPUs for two weeks?

            Doctor_Wibble wrote:

            On the other hand if you can be smart about how you split the CPU workload, you can do it in a whole mass of short computational fragments in everybody's web browser - just pretend you are an ad network with a bunch of crappily-written ad rotator scripts that just happen to look like complicated calculations, display an occasional punch-the-monkey picture and most people won't notice until it's far too late.

            I liked the RC5 challenge, all completely above board. Or rather it was the challenge of running it on as many work machines as you could get your hands on!

            1. Doctor_Wibble

              Re: US$75K to rent 60 GPUs for two weeks?

              That sounds horribly familiar, having had to clean up a server farm that had 'dnetc' running on every machine - killed those and it went back to normal response speed, ran at half the temperature and the power consumption dropped to 'vaguely sane'. The 'only uses idle CPU time' thing (all similar things guilty of this) was really quite misleading and I do share some of the collective guilt having managed for a while to do a fair bash at the SETI workload.

              But the years around the millennienniennium *sigh* those were the days, won't be coming back...

              God that's depressing. Pub o'clock I think.

              1. druck Silver badge

                Re: US$75K to rent 60 GPUs for two weeks?

                Back during the RC5 challenge it was P75s and P90s, which ran just as hot doing nothing as when flat out.

    2. fedoraman
      Happy

      Re: US$75K to rent 60 GPUs for two weeks?

      That looks quite nice. I couldn't find the "add to basket" button on the page, though.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like