Bug 1270348

Summary: linux: sha1 collision possible
Product: [Fedora] Fedora Reporter: Richard Jasmin <spike85051>
Component: distributionAssignee: Václav Pavlín <vpavlin>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 22CC: dennis, kevin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-10 21:21:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard Jasmin 2015-10-09 17:50:27 UTC 
Description of problem:
Recently sha1 hash function has been collided. This presents a security threat as makes us vulnerable to hash cracking. The seriousness of this discovery is just as bad as previous ciper suites(RC4, MD5).

Now, the average joe may not be able to generally do this, but as you know more and more people are using cloud based setups, including hackers, to accomplish just this task. What was used was a 64GPU setup. If not mistaken it took about a week to do this. So, its not exactly fast, but its fast enough to accomplish the task at hand.The more people involved in hacking this, the worse off we all are.

Time to move to a more secure hash algoritm. SHA256, SHA512, RIPEMD, etc.This affects all Linux and anyone else using the cipher.

And according to wikipedia, WTF are we using SHA1 for anyways? everyone should be using 2 or 3.MINIMUM SHA256 is used for SHA2.

hacker news: https://thehackernews.com/2015/10/sha-1-collision-attack.html

slashdot has an article here: http://it.slashdot.org/story/15/10/09/1425207/first-successful-collision-attack-on-the-sha-1-hashing-algorithm

ALSO, as you know anything on the net using this is justas - if not moreso - vulnerable.Net based setups need to mitigate this before its a problem.

Version-Release number of selected component (if applicable):
22

How reproducible:
Im only reporting whats been done.

Steps to Reproduce:
you need a cloud based gpu setup for this.
Comment 1 Kevin Fenzi 2015-10-10 21:21:15 UTC 
Sure, this is fine information, but I'm not sure what you are wanting us to do here. 

If you want to make all fedora developers more aware of this, I'd suggest posting to the devel list. 

If you see any applications/packages using sha1, please file bugs on them. 

With Fedora 21, we established a system wide crypto policy. If you want to change this, please file a bug against the crypto-policies package: 

https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&version=rawhide&component=crypto-policies

Hope that helps.