Conflict for SHA-1 for $ 100 thousand

At the beginning of the year, I recommended updating SSL / TLS certificates that are signed with the SHA-1 algorithm. Now it has become not just a recommendation, but a warning.

Recent news has shown that the assessment that obtaining a collision for SHA-1 will be quite accessible to the criminal world already by 2018 turned out to be optimistic. Marc Stevens, Pierre Karpmen and Thomas Peyrin (I hope they will forgive me for such a translation of their names) published an article and a press release calling for abandoning SHA-1 as soon as possible. They show that the creation of a fake signature based on SHA-1 can now cost about $ 100 thousand, which is quite affordable for the criminal world, and not $ 700 thousand, as the well-known cryptographer Bruce Schneier expected for 2015.

The cost estimate is made on the basis of the Amazon EC2 price list for the graphics cores, because they are the ones who most effectively cope with the task of hash counting.
')
It is important to note that the researchers managed to get a collision in the internal compression function of the hashing algorithm, the so-called freestart collision, when the initialization vector can be chosen arbitrarily. Therefore, to be correct, the result obtained is not a collision in SHA-1. The calculations took 10 days and required the continuous operation of 64 graphics cores. At Amazon EC2 rates, this is about $ 2,000. Experts estimate that a full attack on SHA-1 will take from 49 to 78 days of operation of a cluster of 512 graphics cores, which is undoubtedly much more expensive and longer, however, the period is already quite reasonable and in some cases such an attack can achieve the goals pursued by the attackers.

Given that experts have demonstrated a method that does not directly lead to SHA-1 collisions in an arbitrary case, cryptographer Bruce Schneier said :

Do not panic, and get ready for a future panic.

Step after manufacturers of operating systems and browsers. They will be forced to revise their plans to refuse to work with certificates with SHA-1 and rather mark all such certificates as unsafe, since the countdown is not for a year, but perhaps for months.

Perhaps, in the near future, the SHA1 collision search service will appear on the black market, and since demand is directly dependent on price and terms, this can get on stream and all those who have not paid due attention to security, who use outdated software, and so on will be affected blow.