Bug 1270348 - linux: sha1 collision possible
Summary: linux: sha1 collision possible
Alias: None
Product: Fedora
Classification: Fedora
Component: distribution
Version: 22
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Václav Pavlín
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2015-10-09 17:50 UTC by Richard Jasmin
Modified: 2015-10-10 21:21 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-10-10 21:21:15 UTC
Type: Bug

Attachments (Terms of Use)

Description Richard Jasmin 2015-10-09 17:50:27 UTC
Description of problem:
Recently sha1 hash function has been collided. This presents a security threat as makes us vulnerable to hash cracking. The seriousness of this discovery is just as bad as previous ciper suites(RC4, MD5).

Now, the average joe may not be able to generally do this, but as you know more and more people are using cloud based setups, including hackers, to accomplish just this task. What was used was a 64GPU setup. If not mistaken it took about a week to do this. So, its not exactly fast, but its fast enough to accomplish the task at hand.The more people involved in hacking this, the worse off we all are.

Time to move to a more secure hash algoritm. SHA256, SHA512, RIPEMD, etc.This affects all Linux and anyone else using the cipher.

And according to wikipedia, WTF are we using SHA1 for anyways? everyone should be using 2 or 3.MINIMUM SHA256 is used for SHA2.

hacker news: https://thehackernews.com/2015/10/sha-1-collision-attack.html

slashdot has an article here: http://it.slashdot.org/story/15/10/09/1425207/first-successful-collision-attack-on-the-sha-1-hashing-algorithm

ALSO, as you know anything on the net using this is justas - if not moreso - vulnerable.Net based setups need to mitigate this before its a problem.

Version-Release number of selected component (if applicable):

How reproducible:
Im only reporting whats been done.

Steps to Reproduce:
you need a cloud based gpu setup for this.

Comment 1 Kevin Fenzi 2015-10-10 21:21:15 UTC
Sure, this is fine information, but I'm not sure what you are wanting us to do here. 

If you want to make all fedora developers more aware of this, I'd suggest posting to the devel list. 

If you see any applications/packages using sha1, please file bugs on them. 

With Fedora 21, we established a system wide crypto policy. If you want to change this, please file a bug against the crypto-policies package: 


Hope that helps.

Note You need to log in before you can comment on or make changes to this bug.