Bug 1270348 - linux: sha1 collision possible
linux: sha1 collision possible
Product: Fedora
Classification: Fedora
Component: distribution (Show other bugs)
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Václav Pavlín
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-10-09 13:50 EDT by Richard Jasmin
Modified: 2015-10-10 17:21 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-10-10 17:21:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Richard Jasmin 2015-10-09 13:50:27 EDT
Description of problem:
Recently sha1 hash function has been collided. This presents a security threat as makes us vulnerable to hash cracking. The seriousness of this discovery is just as bad as previous ciper suites(RC4, MD5).

Now, the average joe may not be able to generally do this, but as you know more and more people are using cloud based setups, including hackers, to accomplish just this task. What was used was a 64GPU setup. If not mistaken it took about a week to do this. So, its not exactly fast, but its fast enough to accomplish the task at hand.The more people involved in hacking this, the worse off we all are.

Time to move to a more secure hash algoritm. SHA256, SHA512, RIPEMD, etc.This affects all Linux and anyone else using the cipher.

And according to wikipedia, WTF are we using SHA1 for anyways? everyone should be using 2 or 3.MINIMUM SHA256 is used for SHA2.

hacker news: https://thehackernews.com/2015/10/sha-1-collision-attack.html

slashdot has an article here: http://it.slashdot.org/story/15/10/09/1425207/first-successful-collision-attack-on-the-sha-1-hashing-algorithm

ALSO, as you know anything on the net using this is justas - if not moreso - vulnerable.Net based setups need to mitigate this before its a problem.

Version-Release number of selected component (if applicable):

How reproducible:
Im only reporting whats been done.

Steps to Reproduce:
you need a cloud based gpu setup for this.
Comment 1 Kevin Fenzi 2015-10-10 17:21:15 EDT
Sure, this is fine information, but I'm not sure what you are wanting us to do here. 

If you want to make all fedora developers more aware of this, I'd suggest posting to the devel list. 

If you see any applications/packages using sha1, please file bugs on them. 

With Fedora 21, we established a system wide crypto policy. If you want to change this, please file a bug against the crypto-policies package: 


Hope that helps.

Note You need to log in before you can comment on or make changes to this bug.