Vatsvagiri kubva kuFrench State Institute for Research in Informatics and Automation (INRIA) uye Nanyang Technological University (Singapore) vakapa nzira yekurwisa. () Vatsvagiri vanotenda kuti kurwiswa kwese kunoshanda paMD1 ikozvino kwave kushandiswa kuSHA-5, kunyangwe vachiri kuda zviwanikwa zvakakosha kuti zviitwe.
Nzira yacho inobva pakuita , iyo inokutendera iwe kuti usarudze mawedzero maviri eanopokana data seti, kana yakabatanidzwa, iyo inobuda inoburitsa seti inokonzera kudhumhana, iko kushandiswa kweSHA-1 algorithm iyo inotungamira mukuumbwa kweiyo yakafanana inoguma hashi. Mune mamwe mazwi, kune maviri magwaro aripo, maviri anokwana anogona kuverengerwa, uye kana imwe yakawedzerwa kune yekutanga gwaro uye imwe kune yechipiri, inoguma SHA-1 hashes yemafaira aya ichave yakafanana.
Iyo nzira itsva inosiyana neyakambotaurwa maitiro akafanana nekuwedzera kugona kwekudhumhana kutsvaga uye kuratidza inoshanda application yekurwisa PGP. Kunyanya, vaongorori vakakwanisa kugadzirira makiyi maviri eruzhinji ePGP ehukuru hwakasiyana (RSA-8192 neRSA-6144) aine maID akasiyana evashandisi uye aine zvitupa zvinokonzeresa kudhumhana kweSHA-1. yaisanganisira ID yekubatwa, uye yaisanganisira zita nemufananidzo weanorwisa. Zvakare, nekuda kwekusarudzika kwekudhumhana, chitupa chekuziva kiyi, kusanganisira kiyi uye mufananidzo weanorwisa, yaive neiyo SHA-1 hashi sechitupa chekuzivikanwa, kusanganisira kiyi uye zita remunhu akabatwa.
Anorwisa anogona kukumbira siginecha yedhijitari yekiyi yake nemufananidzo kubva kune wechitatu-bato retifiketi chiremera, obva aendesa siginecha yedhijitari yekiyi yemunhu akabatwa. Siginecha yedhijitari inoramba iripo nekuda kwekudhumhana uye kusimbiswa kwekiyi yeanorwisa nechiremera chechitupa, izvo zvinobvumira anorwisa kuti atore kudzora kiyi ine zita remunhu anenge abatwa (sezvo iyo SHA-1 hashi yemakiyi ese ari maviri akafanana). Nekuda kweizvozvo, nyakurova anogona kutevedzera munhu akabatwa uye kusaina chero gwaro panzvimbo yake.
Kurwiswa kwacho kuchiri kudhura, asi kwatove kukwanisika kune masevhisi ehungwaru uye makambani makuru. Kusarudze kudhumhana kuri nyore uchishandisa yakachipa NVIDIA GTX 970 GPU, mari yacho yaive zviuru gumi nerimwe zvemadhora, uye yekusarudza kudhumhana ine prefix yakapihwa - zviuru makumi mana nezvishanu zvemadhora (pakuenzanisa, muna 11 mari yekusarudza kudhumhana muSHA-45 yakafungidzirwa. pamamiriyoni maviri emadhora, uye muna 2012 - 1 zviuru). Kuita kurwisa kunoshanda paPGP, zvakatora mwedzi miviri yekombuta uchishandisa 2 NVIDIA GTX 2015 GPUs, kuroja kwaidhura vaongorori $700.
Nzira yekuona kudhumhana yakakurudzirwa nevatsvakurudzi inokwana ka10 kupfuura kubudirira kwekare - kuoma kwehuwandu hwehuwandu hwekuverenga kwakaderedzwa kusvika ku 261.2 mashandiro, panzvimbo ye264.7, uye kudhumhana nechivakashure chakapiwa kune 263.4 maitiro panzvimbo ye267.1. Vatsvakurudzi vanokurudzira kuchinja kubva kuSHA-1 kushandisa SHA-256 kana SHA-3 nokukurumidza sezvinobvira, sezvavanofungidzira kuti mari yekurwisa ichadonha kusvika ku $ 2025 ne10.
Vagadziri veGnuPG vakaziviswa nezve dambudziko muna Gumiguru 1 (CVE-2019-14855) uye vakatora danho rekuvhara zvitupa zvine dambudziko munaNovember 25 mukuburitswa kweGnuPG 2.2.18 - ese maSHA-1 edhijitari masiginecha akagadzirwa mushure meNdira 19 ye gore rapfuura zvino vaonekwa sevasina kururama. CAcert, imwe yevakuru certification zviremera zvePGP makiyi, inoronga kuenda kukushandiswa kweakanyanya kuchengetedzwa hashi mabasa kune kiyi certification. Vagadziri veOpenSSL, vachipindura ruzivo nezve nzira nyowani yekurwisa, vakafunga kudzima SHA-1 padanho rekutanga rekuchengetedza (SHA-1 haigone kushandiswa kune zvitupa uye masiginecha edhijitari panguva yekubatanidza nhaurirano).
Source: opennet.ru