Ofufuza ochokera ku French State Institute for Research in Informatics and Automation (INRIA) ndi Nanyang Technological University (Singapore) adapereka njira yowukira.
Njirayi imachokera pakuchita
Njira yatsopanoyi imasiyana ndi njira zofananira zomwe zidapangidwa kale pothandizira kuzindikira kugundana ndikuwonetsa kugwiritsa ntchito bwino powukira PGP. Makamaka, ofufuzawo adatha kukonza makiyi awiri a PGP amitundu yosiyanasiyana (RSA-8192 ndi RSA-6144) okhala ndi ma ID osiyanasiyana ogwiritsa ntchito komanso satifiketi zomwe zimayambitsa kugunda kwa SHA-1.
Wowukirayo atha kupempha siginecha ya digito ya kiyi wake ndi chithunzi kuchokera kwa gulu lachitatu la certification, ndiyeno kusamutsa siginecha ya digito ya kiyi ya wozunzidwayo. Siginecha ya digito imakhalabe yovomerezeka chifukwa cha kugundana ndi kutsimikizika kwa kiyi ya wowukirayo ndi oyang'anira certification, zomwe zimalola wowukirayo kuti azilamulira kiyi ndi dzina la wozunzidwayo (popeza SHA-1 hash ya makiyi onsewo ndi ofanana). Zotsatira zake, wowukirayo amatha kukhala ngati wozunzidwayo ndikusayina chikalata chilichonse m'malo mwake.
Kuwukiraku kukadali kokwera mtengo, koma ndikokwera mtengo kwambiri kwa mautumiki apadera ndi makampani akuluakulu. Kuti muzindikire kugundana kosavuta pogwiritsa ntchito NVIDIA GTX 970 GPU yotsika mtengo, mtengo wake unali $11, ndipo pofananiza kugundana ndi mawu oyamba - $45 (poyerekeza, mu 2012, mtengo wofananira kugunda kwa SHA-1 udafika $2 miliyoni. , ndipo mu 2015 - 700 zikwi). Kuwukira kothandiza kwa PGP kunatenga miyezi iwiri yowerengera pogwiritsa ntchito 900 NVIDIA GTX 1060 GPUs, zomwe zidawononga ofufuza $75 kubwereka.
Njira yomwe ofufuza apanga kuti azindikire kugundana ndi pafupifupi nthawi 10 kuposa zomwe zidachitika m'mbuyomu - kuchuluka kwa zovuta zamakompyuta kunachepetsedwa kukhala ma 261.2, m'malo mwa 264.7, ndikugundana ndi prefix yoperekedwa ku ntchito 263.4 m'malo mwa 267.1. Ofufuzawa amalimbikitsa kuti asinthe kuchoka ku SHA-1 kuti agwiritse ntchito SHA-256 kapena SHA-3 posachedwa, chifukwa amalosera kuti mtengo wochitira chiwembu udzatsika mpaka $ 2025 mu 10.
Madivelopa a GnuPG adadziwitsidwa za nkhaniyi pa Okutobala 1 (CVE-2019-14855) ndipo adachitapo kanthu pa Novembara 25 ndikutulutsidwa kwa GnuPG 2.2.18 kuti aletse ziphaso zovuta - masiginecha onse a digito a SHA-1 adapangidwa pambuyo pa Januware 19 womaliza. chaka tsopano chizindikiridwa ngati chosavomerezeka. CAcert, imodzi mwa ma CA akuluakulu a makiyi a PGP, ikukonzekera kusamukira ku ntchito zotetezeka za hashi kuti zitsimikizire makiyi. Madivelopa a OpenSSL, poyankha zambiri za njira yatsopano yowukira, adaganiza zoletsa SHA-1 pamlingo woyamba wachitetezo (SHA-1 sidzagwiritsidwa ntchito ngati satifiketi ndi siginecha ya digito panthawi yolumikizana).
Source: opennet.ru