Google recently annouced the first SHA-1 collision https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html. Should I be suprised or should I be dejected that all my personal github projects need a revamp in it’s security configurations?
TL;DR : I don’t give a damn about the SHA-1 collision. Come on! A supercomputer-like configuration is used for cryptanalysing a theortically deemed broken security mechanism. I’ll still use it since this information isn’t news to me – stuff could have been done 7 years back.
Being a typical researcher, the first question we are trained to ask ourselves is – “What is the problem”? In this case, the naive answer being – “SHA-1 collision detect. Please signal mayday and activate SoS mode.” Alright, so if SHA-1 collision is detected, so ‘what’s the problem’? Should I throw away my iPhone because my credit card details and fingerprints are SHA-1’ed into it? Should I stop relying on the transport layer TLS service and resurrect an ancient-era network technology that by-passed the transport layer or have a software-defined network layer?…… Alright man, stop ranting!! Just reconfigure your security protocols to use AES, blowfish, etc. , etc…. Easier said than done right? [Network Admins – Knock Knock.]
Ok, so let’s look at the situation more closely…..As always, ‘What is the problem?’
This pic (courtesy: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html) snapshots the SHA-1 hash-break by Google and the researchers at CWI institute.
Problem 1 : [ ZygoteInit phased OMG!!! ] Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total. Haha, even a beast of the server workstations at one of our clusters (nope, I’m not going to say which one) running for 5 days at a stretch wouldn’t be able to compute so much. Conclusion: Impractical.
Problem 2 : Problem 1 isn’t a practical problem anymore. So, ‘What is the problem?’ Conclusion: !@#&*@#$^[doodle][doodle][procastinate]!@#$@#^%!@#[stuck][stuck]!@#$$
So, after thinking hard and long for 3 hours, I figured out that there isn’t any compelling reasons for me to worry about the SHA-1 collison incident. It was specifically designed by a research community to prove that the therotical results hold true. Anyway, the first few lectures of a Computer Secuirty course teaches us that this algo is broken and it’s better to avoid it. No, nothing special with the new discovery. So, take a chill-pill and relax on a beach, the bad guys who have so much resources wouldn’t bother stealing any information from a consumer like me.
So, what if quantum computing becomes a reality and P = NP ? Then, I should be worried, I guess.