Abacwaningi abavela eFrench State Institute for Research in Informatics and Automation (INRIA) kanye neNanyang Technological University (Singapore) bethule indlela yokuhlasela. (), okubhekwa njengokuqaliswa okungokoqobo kokuqala kokuhlasela kwe-algorithm ye-SHA-1 engasetshenziswa ukudala mbumbulu amasiginesha edijithali ye-PGP ne-GnuPG. Abacwaningi bakholelwa ukuthi konke ukuhlasela okungokoqobo kwe-MD5 manje kungasetshenziswa ku-SHA-1, nakuba kusadinga izinsiza ezibalulekile ukuze kusetshenziswe.
Indlela isekelwe ekwenzeni , okuvumela ukuthi ukhethe izengezo zamasethi edatha amabili angenasisekelo, uma unamathiselwe, okukhiphayo kuzokhiqiza amasethi abangela ukungqubuzana, ukusetshenziswa kwe-algorithm ye-SHA-1 okuzoholela ekwakhekeni kwe-hashi efanayo ewumphumela. Ngamanye amazwi, kumadokhumenti amabili akhona, iziphelelisi ezimbili zingabalwa, futhi uma enye yenezelwa kudokhumenti yokuqala futhi enye kweyesibili, umphumela we-SHA-1 hashes kulawa mafayela uzofana.
Indlela entsha ihlukile kumasu afanayo ahlongozwe ngaphambilini ngokukhuphula ukusebenza kahle kokusesha kokushayisana nokubonisa ukusetshenziswa okungokoqobo kokuhlasela i-PGP. Ikakhulukazi, abacwaningi bakwazile ukulungiselela okhiye ababili basesidlangalaleni be-PGP bosayizi abahlukene (RSA-8192 kanye ne-RSA-6144) ngama-ID abasebenzisi abahlukene kanye nezitifiketi ezibangela ukungqubuzana kwe-SHA-1. kuhlanganisa ne-ID yesisulu, kanye kufakwe igama nesithombe somhlaseli. Ngaphezu kwalokho, ngenxa yokukhethwa kokushayisana, isitifiketi esihlonza okhiye, okuhlanganisa ukhiye nesithombe somhlaseli, sinehashi ye-SHA-1 efanayo njengesitifiketi sokukhomba, okuhlanganisa ukhiye negama lesisulu.
Umhlaseli angase acele isiginesha yedijithali yokhiye wakhe nesithombe kwabasemagunyeni bokunikeza isitifiketi, bese edlulisela isiginesha yedijithali yokhiye wesisulu. Isiginesha yedijithali ihlala ilungile ngenxa yokushayisana nokuqinisekiswa kokhiye womhlaseli yisiphathimandla sokunikeza isitifiketi, okuvumela umhlaseli ukuthi alawule ukhiye ngegama lesisulu (njengoba i-SHA-1 hashi yabo bobabili okhiye iyafana). Ngenxa yalokho, umhlaseli angakwazi ukuzenza isisulu futhi asayine noma iyiphi idokhumenti egameni lakhe.
Lokhu kuhlasela kusabiza kakhulu, kodwa sekuvele kungabizi kakhulu ezinsizeni zezobunhloli nezinkampani ezinkulu. Ngokukhetha okulula kokushayisana kusetshenziswa i-NVIDIA GTX 970 GPU eshibhile, izindleko bezingamadola ayizinkulungwane eziyi-11, kanti ukukhetha ukushayisana nesiqalo esinikeziwe - amadola ayizinkulungwane ezingama-45 (uma kuqhathaniswa, ngo-2012, izindleko zokukhetha ukushayisana ku-SHA-1 kulinganiselwa ku-2 million dollar, futhi ngo-2015 - 700 ayizinkulungwane). Ukwenza ukuhlasela okungokoqobo ku-PGP, kuthathe izinyanga ezimbili kusetshenziswa ikhompuyutha kusetshenziswa ama-900 NVIDIA GTX 1060 GPUs, ukuqashwa kwawo kubiza abacwaningi u-$75.
Indlela yokuthola ukushayisana ephakanyiswe abacwaningi icishe isebenze ngokuphindwe ka-10 kunezimpumelelo zangaphambilini - izinga eliyinkimbinkimbi lezibalo zokushayisana lehliswe laba imisebenzi engu-261.2, esikhundleni sika-264.7, kanye nokushayisana nesiqalo esinikeziwe sokusebenza okungu-263.4 esikhundleni sika-267.1. Abacwaningi batusa ukuthi usuke ku-SHA-1 usebenzise i-SHA-256 noma i-SHA-3 ngokushesha okukhulu, njengoba bebikezela ukuthi izindleko zokuhlasela zizokwehla ziye ku-$2025 ngo-10.
Onjiniyela be-GnuPG baziswe ngenkinga ngo-Okthoba 1 (CVE-2019-14855) futhi bathatha isinyathelo sokuvimba izitifiketi eziyinkinga ngoNovemba 25 ekukhishweni kwe-GnuPG 2.2.18 - wonke amasiginesha omazisi bedijithali be-SHA-1 adalwe ngemva komhla ka-19 kaJanuwari. ngonyaka odlule manje zibonwa njengezingalungile. I-CAcert, enye yeziphathimandla eziyinhloko zokunikeza izitifiketi zokhiye be-PGP, ihlela ukushintshela ekusebenziseni imisebenzi ye-hashi evikeleke kakhulu ukuze uthole isitifiketi esibalulekile. Onjiniyela be-OpenSSL, ngenxa yolwazi olumayelana nendlela entsha yokuhlasela, banqume ukukhubaza i-SHA-1 ezingeni lokuqala elizenzakalelayo lokuphepha (i-SHA-1 ayikwazi ukusetshenziselwa izitifiketi namasignesha edijithali phakathi nenqubo yezingxoxo zokuxhuma).
Source: opennet.ru