No, the “shattered” SHA-1 attack does not significantly impact Tor yet.
Feb 23, 2017 · 2 min read
There are three popular kinds of attacks on hash functions:
“Collision” Attacks
- In a secret laboratory, I create Document A, which has a hash of “1234”
- In the same laboratory I also create Document B, which also has a hash of “1234”
- I show you both A and B, and “1234”, smile, and say: “Aren’t I clever?”
This is what Shattered is, and most past attacks on MD5 too. It’s important in situations where people might give you a document (A) and then lie about it later, saying they actually gave you (B).
“Second Preimage” Attacks
- You give me Document A (source material) which has a hash of “1234”
- You challenge me to find a Document B which also hashes to “1234”
- I’m probably screwed, unless you used a hash function that is massively, stupidly outdated, or I have several warehouses of computers.
Nobody has done this to SHA yet.
“Preimage” (First-Preimage?) Attacks
- You challenge me to find a Document (X?) which hashes to “1234”
- You don’t give me any source material.
- Document X may need to be fit for some predetermined purpose.
- I’m pretty comprehensively screwed, unless you really messed up behind the scenes and I can work out how.
This is generally how Tor Onion Addresses work. Nobody has done this to SHA yet.
Mitigations and the Future?
- Tor is already addressing this anyway.
- Also, the chances of a document being both a preimage collision and also a functioning RSA key, are very (?) slim.
References
- preimage resistance: for essentially all pre-specified outputs, it is computationally infeasible to find any input that hashes to that output, i.e., given y, it is difficult to find an x such that h(x) = y.[1]
- second-preimage resistance: it is computationally infeasible to find any second input which has the same output as that of a specified input, i.e., given x, it is difficult to find a second preimage x′ ≠ x such that h(x) = h(x′).[1]
- a hash function H is collision resistant if it is hard to find two inputs that hash to the same output; that is, two inputs a and b such that H(a) = H(b), and a ≠ b.[1]:136
