No, the “shattered” SHA-1 attack does not significantly impact Tor yet.

Alec Muffett
Feb 23, 2017 · 2 min read

There are three popular kinds of attacks on hash functions:

“Collision” Attacks

  • In a secret laboratory, I create Document A, which has a hash of “1234”
  • In the same laboratory I also create Document B, which also has a hash of “1234”
  • I show you both A and B, and “1234”, smile, and say: “Aren’t I clever?”

This is what Shattered is, and most past attacks on MD5 too. It’s important in situations where people might give you a document (A) and then lie about it later, saying they actually gave you (B).

“Second Preimage” Attacks

  • You give me Document A (source material) which has a hash of “1234”
  • You challenge me to find a Document B which also hashes to “1234”
  • I’m probably screwed, unless you used a hash function that is massively, stupidly outdated, or I have several warehouses of computers.

Nobody has done this to SHA yet.

“Preimage” (First-Preimage?) Attacks

  • You challenge me to find a Document (X?) which hashes to “1234”
  • You don’t give me any source material.
  • Document X may need to be fit for some predetermined purpose.
  • I’m pretty comprehensively screwed, unless you really messed up behind the scenes and I can work out how.

This is generally how Tor Onion Addresses work. Nobody has done this to SHA yet.

Mitigations and the Future?

  • Tor is already addressing this anyway.
  • Also, the chances of a document being both a preimage collision and also a functioning RSA key, are very (?) slim.

References

Preimage attack - Wikipedia

By definition, an ideal hash function is such that the fastest way to compute a first or second preimage is through a…

en.wikipedia.org

Collision resistance - Wikipedia

Every hash function with more inputs than outputs will necessarily have collisions.:136Consider a hash function such as…

en.wikipedia.org

  • preimage resistance: for essentially all pre-specified outputs, it is computationally infeasible to find any input that hashes to that output, i.e., given y, it is difficult to find an x such that h(x) = y.[1]
  • second-preimage resistance: it is computationally infeasible to find any second input which has the same output as that of a specified input, i.e., given x, it is difficult to find a second preimage x′ ≠ x such that h(x) = h(x′).[1]
  • a hash function H is collision resistant if it is hard to find two inputs that hash to the same output; that is, two inputs a and b such that H(a) = H(b), and ab.[1]:136

See Also

mpm/SHA1 - Mercurial

A collision attack (also known as a birthday attack involves creating two brand new documents with the same hash. An…

www.mercurial-scm.org

Alec Muffett

Written by

Alec Muffett

Security Researcher. Recovering Cynic.

Write the first response

Discover Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Make Medium yours

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Become a member

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade
AboutHelpLegal