|
|
|
|
|
|
by gregmac
2219 days ago
|
|
|
What's been done here is a chosen-prefix collision attack [1] where the attacker can produce two files that have the same hash. What you're asking about is a preimage attack [2] where one of the files is already created and the attacker can't influence it. The practical attack enabled here is mostly around digital signatures. An attacker could produce documents A and B that both have the same SHA-1. They can then get someone to sign document A (which really is signing the SHA-1 of document A), then use the signature with document B and make it look like they have a document B signed with a valid signature. As an example, if document A is a regular SSL certificate request, and document B is a "CA certificate", the attacker can trick a real CA into signing a rogue CA into existence, which can then sign its own certificates that will be trusted by every browser. This has already happened with MD5 in 2008 [3]. [1] https://en.wikipedia.org/wiki/Collision_attack [2] https://en.wikipedia.org/wiki/Preimage_attack [3] http://www.phreedom.org/research/rogue-ca/ |
|
|