Ofufuza ochokera ku French State Institute for Research in Informatics and Automation (INRIA) ndi Nanyang Technological University (Singapore) adapereka njira yowukira. (), yomwe ikuwoneka ngati njira yoyamba yogwiritsira ntchito kuukira kwa SHA-1 algorithm yomwe ingagwiritsidwe ntchito kupanga siginecha zabodza za digito za PGP ndi GnuPG. Ofufuzawo akukhulupirira kuti tsopano zowukira zonse zothandiza pa MD5 zitha kugwiritsidwa ntchito ku SHA-1, ngakhale zimafunikirabe zofunikira kuti zitheke.
Njirayi imachokera pakuchita , yomwe imalola kuti ma seti awiri a deta osasunthika asankhe zowonjezera, zikaphatikizidwa, zotsatira zake zidzakhala zoyambitsa kugundana, kugwiritsa ntchito algorithm ya SHA-1 yomwe idzatsogolera kupanga hashi yofanana. Mwa kuyankhula kwina, zowonjezera ziwiri zikhoza kuwerengedwa pa zolemba ziwiri zomwe zilipo, ndipo ngati chimodzi chikuwonjezeredwa ku chikalata choyamba ndi china kwa chachiwiri, zotsatira za SHA-1 za mafayilowa zidzakhala zofanana.
Njira yatsopanoyi imasiyana ndi njira zofananira zomwe zidapangidwa kale pothandizira kuzindikira kugundana ndikuwonetsa kugwiritsa ntchito bwino powukira PGP. Makamaka, ofufuzawo adatha kukonza makiyi awiri a PGP amitundu yosiyanasiyana (RSA-8192 ndi RSA-6144) okhala ndi ma ID osiyanasiyana ogwiritsa ntchito komanso satifiketi zomwe zimayambitsa kugunda kwa SHA-1. kuphatikizapo ID wozunzidwa, ndi kuphatikizapo dzina ndi chithunzi cha woukirayo. Nthawi yomweyo, chifukwa chakugundana, satifiketi yozindikiritsa makiyi, yomwe imaphatikizapo kiyi ndi chithunzi cha wowukirayo, inali ndi hashi ya SHA-1 yofanana ndi chizindikiritso, chomwe chimaphatikizapo kiyi ndi dzina la wozunzidwayo.
Wowukirayo atha kupempha siginecha ya digito ya kiyi wake ndi chithunzi kuchokera kwa gulu lachitatu la certification, ndiyeno kusamutsa siginecha ya digito ya kiyi ya wozunzidwayo. Siginecha ya digito imakhalabe yovomerezeka chifukwa cha kugundana ndi kutsimikizika kwa kiyi ya wowukirayo ndi oyang'anira certification, zomwe zimalola wowukirayo kuti azilamulira kiyi ndi dzina la wozunzidwayo (popeza SHA-1 hash ya makiyi onsewo ndi ofanana). Zotsatira zake, wowukirayo amatha kukhala ngati wozunzidwayo ndikusayina chikalata chilichonse m'malo mwake.
Kuwukiraku kukadali kokwera mtengo, koma ndikokwera mtengo kwambiri kwa mautumiki apadera ndi makampani akuluakulu. Kuti muzindikire kugundana kosavuta pogwiritsa ntchito NVIDIA GTX 970 GPU yotsika mtengo, mtengo wake unali $11, ndipo pofananiza kugundana ndi mawu oyamba - $45 (poyerekeza, mu 2012, mtengo wofananira kugunda kwa SHA-1 udafika $2 miliyoni. , ndipo mu 2015 - 700 zikwi). Kuwukira kothandiza kwa PGP kunatenga miyezi iwiri yowerengera pogwiritsa ntchito 900 NVIDIA GTX 1060 GPUs, zomwe zidawononga ofufuza $75 kubwereka.
Njira yomwe ofufuza apanga kuti azindikire kugundana ndi pafupifupi nthawi 10 kuposa zomwe zidachitika m'mbuyomu - kuchuluka kwa zovuta zamakompyuta kunachepetsedwa kukhala ma 261.2, m'malo mwa 264.7, ndikugundana ndi prefix yoperekedwa ku ntchito 263.4 m'malo mwa 267.1. Ofufuzawa amalimbikitsa kuti asinthe kuchoka ku SHA-1 kuti agwiritse ntchito SHA-256 kapena SHA-3 posachedwa, chifukwa amalosera kuti mtengo wochitira chiwembu udzatsika mpaka $ 2025 mu 10.
Madivelopa a GnuPG adadziwitsidwa za nkhaniyi pa Okutobala 1 (CVE-2019-14855) ndipo adachitapo kanthu pa Novembara 25 ndikutulutsidwa kwa GnuPG 2.2.18 kuti aletse ziphaso zovuta - masiginecha onse a digito a SHA-1 adapangidwa pambuyo pa Januware 19 womaliza. chaka tsopano chizindikiridwa ngati chosavomerezeka. CAcert, imodzi mwa ma CA akuluakulu a makiyi a PGP, ikukonzekera kusamukira ku ntchito zotetezeka za hashi kuti zitsimikizire makiyi. Madivelopa a OpenSSL, poyankha zambiri za njira yatsopano yowukira, adaganiza zoletsa SHA-1 pamlingo woyamba wachitetezo (SHA-1 sidzagwiritsidwa ntchito ngati satifiketi ndi siginecha ya digito panthawi yolumikizana).
Source: opennet.ru