Pinboard (jm)
https://pinboard.in/u:jm/public/
recent bookmarks from jmAdditional Checksum Algorithms for Amazon S32022-03-07T17:36:56+00:00
https://aws.amazon.com/blogs/aws/new-additional-checksum-algorithms-for-amazon-s3/
jmIt is now very easy for you to calculate and store checksums for data stored in Amazon S3 and to use the checksums to check the integrity of your upload and download requests. You can use this new feature to implement the digital preservation best practices and controls that are specific to your industry. In particular, you can specify the use of any one of four widely used checksum algorithms (SHA-1, SHA-256, CRC-32, and CRC-32C).
(via Last Week in AWS)]]>checksums integrity uploads s3 sha crc md5https://pinboard.in/https://pinboard.in/u:jm/b:3dbeb1888cbe/BLAKE32020-02-24T17:28:59+00:00
https://www.infoq.com/news/2020/01/blake3-fast-crypto-hash/
jmblake3 blake hashing hashes algorithms speed performance optimization shahttps://pinboard.in/https://pinboard.in/u:jm/b:386b7e9bbdfd/SHA-1 is a Shambles - First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust2020-01-07T15:08:10+00:00
https://eprint.iacr.org/2020/014
jm
Abstract: The SHA-1 hash function was designed in 1995 and has been widely used during two decades. A theoretical collision attack was first proposed in 2004 [WYY05], but due to its high complexity it was only implemented in practice in 2017, using a large GPU cluster [SBK+17]. More recently, an almost practical chosen-prefix collision attack against SHA-1 has been proposed [LP19]. This more powerful attack allows to build colliding messages with two arbitrary prefixes, which is much more threatening for real protocols.
In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with a complexity of 261.2261.2 rather than 264.7264.7, and chosen-prefix collisions with a complexity of 263.4263.4 rather than 267.1267.1. When renting cheap GPUs, this translates to a cost of 11k US\$ for a collision, and 45k US\$ for a chosen-prefix collision, within the means of academic researchers. Our actual attack required two months of computations using 900 Nvidia GTX 1060 GPUs (we paid 75k US\$ because GPU prices were higher, and we wasted some time preparing the attack).
Therefore, the same attacks that have been practical on MD5 since 2009 are now practical on SHA-1. In particular, chosen-prefix collisions can break signature schemes and handshake security in secure channel protocols (TLS, SSH). We strongly advise to remove SHA-1 from those type of applications as soon as possible. We exemplify our cryptanalysis by creating a pair of PGP/GnuPG keys with different identities, but colliding SHA-1 certificates. A SHA-1 certification of the first key can therefore be transferred to the second key, leading to a forgery. This proves that SHA-1 signatures now offers virtually no security in practice. The legacy branch of GnuPG still uses SHA-1 by default for identity certifications, but after notifying the authors, the modern branch now rejects SHA-1 signatures (the issue is tracked as CVE-2019-14855).
(Via Tony Finch)]]>via:fanf security sha sha-1 crypto hashes hashing pgp gpg collisionshttps://pinboard.in/https://pinboard.in/u:jm/b:468127bda2ca/multiformats/multihash: Self describing hashes - for future proofing2018-09-17T16:29:24+00:00
https://github.com/multiformats/multihash
jmipfs hashing multihash crypto hashes shahttps://pinboard.in/https://pinboard.in/u:jm/b:c9c746b195ae/What's the probability of a hash collision?2014-11-18T11:50:47+00:00
http://davidjohnstone.net/pages/hash-collision-probability
jmprobability hashing hashes collision risk md5 sha sha1 calculatorshttps://pinboard.in/https://pinboard.in/u:jm/b:7941face31b6/Hacker News comments thread on the Dropbox dedupe bug2011-04-25T22:20:39+00:00
http://news.ycombinator.com/item?id=2478567
jmdropbox hashes p2p filesharing tech security shahttps://pinboard.in/https://pinboard.in/u:jm/b:64200cbb0c5b/Dropbox dedupe feature allows materialization of any file, if you know its hash2011-04-25T22:11:15+00:00
http://razorfast.com/2011/04/25/dropbox-attempts-to-kill-open-source-project/
jmsecurity filesharing dropbox online-backup online-storage p2p hashes sha dmcahttps://pinboard.in/https://pinboard.in/u:jm/b:b50dc4eee992/