Abacwaningi abavela eFrench State Institute for Research in Informatics and Automation (INRIA) kanye neNanyang Technological University (Singapore) bethule indlela yokuhlasela.
Indlela isekelwe ekwenzeni
Indlela entsha ihlukile kumasu afanayo ahlongozwe ngaphambilini ngokukhuphula ukusebenza kahle kokusesha kokushayisana nokubonisa ukusetshenziswa okungokoqobo kokuhlasela i-PGP. Ikakhulukazi, abacwaningi bakwazile ukulungiselela okhiye ababili basesidlangalaleni be-PGP bosayizi abahlukene (RSA-8192 kanye ne-RSA-6144) ngama-ID abasebenzisi abahlukene kanye nezitifiketi ezibangela ukungqubuzana kwe-SHA-1.
Umhlaseli angase acele isiginesha yedijithali yokhiye wakhe nesithombe kwabasemagunyeni bokunikeza isitifiketi, bese edlulisela isiginesha yedijithali yokhiye wesisulu. Isiginesha yedijithali ihlala ilungile ngenxa yokushayisana nokuqinisekiswa kokhiye womhlaseli yisiphathimandla sokunikeza isitifiketi, okuvumela umhlaseli ukuthi alawule ukhiye ngegama lesisulu (njengoba i-SHA-1 hashi yabo bobabili okhiye iyafana). Ngenxa yalokho, umhlaseli angakwazi ukuzenza isisulu futhi asayine noma iyiphi idokhumenti egameni lakhe.
Lokhu kuhlasela kusabiza kakhulu, kodwa sekuvele kungabizi kakhulu ezinsizeni zezobunhloli nezinkampani ezinkulu. Ngokukhetha okulula kokushayisana kusetshenziswa i-NVIDIA GTX 970 GPU eshibhile, izindleko bezingamadola ayizinkulungwane eziyi-11, kanti ukukhetha ukushayisana nesiqalo esinikeziwe - amadola ayizinkulungwane ezingama-45 (uma kuqhathaniswa, ngo-2012, izindleko zokukhetha ukushayisana ku-SHA-1 kulinganiselwa ku-2 million dollar, futhi ngo-2015 - 700 ayizinkulungwane). Ukwenza ukuhlasela okungokoqobo ku-PGP, kuthathe izinyanga ezimbili kusetshenziswa ikhompuyutha kusetshenziswa ama-900 NVIDIA GTX 1060 GPUs, ukuqashwa kwawo kubiza abacwaningi u-$75.
Indlela yokuthola ukushayisana ephakanyiswe abacwaningi icishe isebenze ngokuphindwe ka-10 kunezimpumelelo zangaphambilini - izinga eliyinkimbinkimbi lezibalo zokushayisana lehliswe laba imisebenzi engu-261.2, esikhundleni sika-264.7, kanye nokushayisana nesiqalo esinikeziwe sokusebenza okungu-263.4 esikhundleni sika-267.1. Abacwaningi batusa ukuthi usuke ku-SHA-1 usebenzise i-SHA-256 noma i-SHA-3 ngokushesha okukhulu, njengoba bebikezela ukuthi izindleko zokuhlasela zizokwehla ziye ku-$2025 ngo-10.
Onjiniyela be-GnuPG baziswe ngenkinga ngo-Okthoba 1 (CVE-2019-14855) futhi bathatha isinyathelo sokuvimba izitifiketi eziyinkinga ngoNovemba 25 ekukhishweni kwe-GnuPG 2.2.18 - wonke amasiginesha omazisi bedijithali be-SHA-1 adalwe ngemva komhla ka-19 kaJanuwari. ngonyaka odlule manje zibonwa njengezingalungile. I-CAcert, enye yeziphathimandla eziyinhloko zokunikeza izitifiketi zokhiye be-PGP, ihlela ukushintshela ekusebenziseni imisebenzi ye-hashi evikeleke kakhulu ukuze uthole isitifiketi esibalulekile. Onjiniyela be-OpenSSL, ngenxa yolwazi olumayelana nendlela entsha yokuhlasela, banqume ukukhubaza i-SHA-1 ezingeni lokuqala elizenzakalelayo lokuphepha (i-SHA-1 ayikwazi ukusetshenziselwa izitifiketi namasignesha edijithali phakathi nenqubo yezingxoxo zokuxhuma).
Source: opennet.ru