This question is similar to this, but that one only references MD5 collision demos.
Are there any actual SHA1 collision pairs of arbitrary messages known so far ?
I'd like to use these to test how various software products (my own one and some third party) deal with it.
Doing some Google searches only turned up the oh-so prominent MD5 / SHA0 collisions and some hints on an approach to creating SHA1 collisions but I could not get my hands on any examples.
New answer as of February 23rd 2017
For more than six years, the SHA1 cryptographic hash function underpinning Internet security has been at death's door. Now it's officially dead, thanks to the submission of the first known instance of a fatal exploit known as a "collision."
Previous answer (no longer accurate)
There is no known collision for SHA-1 yet. Right now:
There are some collisions on reduced versions of SHA-1, with less than the 80 rounds of the standard SHA-1.
An algorithm has been describe, which should obtain a SHA-1 collision with a computational effort roughly equivalent to 263 invocations of SHA-1 on small messages; that's much better than generic algorithms (which require 280 invocations on average) but that's still quite big and that algorithm has not been run yet.
There was an effort to obtain a SHA-1 collision by harnessing power from whoever had some spare CPU clock cycles to donate, with the BOINC framework to organize the whole thing, but there were not enough volunteers and the effort was abandoned last year. Hence no actual SHA-1 collision yet.
Theoretical attacks rely on some assumptions which may prove to be slightly false; for instance, the attack on MD5 is actually a bit faster than expected (at some point there is a property which must be fulfilled, with a theoretical probability of 2-28, but in practice it is more like 2-27.7, i.e. the attack is 20% faster than predicted). It is still considered that the theoretical attack is correct and the complexity "rather accurate".
The first known collision has now been published at https://shattered.it/
$ curl -sSO https://shattered.it/static/shattered-1.pdf
$ curl -sSO https://shattered.it/static/shattered-2.pdf
$ sha1sum *.pdf
38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-1.pdf
38762cf7f55934b34d179ae6a4c80cadccbb7f0a shattered-2.pdf
$ sha256sum *.pdf
2bb787a73e37352f92383abe7e2902936d1059ad9f1ba6daaa9c1e58ee6970d0 shattered-1.pdf
d4488775d29bdef7993367d541064dbdda50d383f89f0aa13a6ff2e0894ba5ff shattered-2.pdf
Google's Security Blog describes the first public, intentional SHA-1 collision here:
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Direct links to 2 PDFs with the same SHA-1 (from the site dedicated to this finding):
https://shattered.it/static/shattered-1.pdf
https://shattered.it/static/shattered-2.pdf
Again, Marc Stevens was involved along with CWI Amsterdam and some Google employees, but this time for the full-round SHA-1 on two constructed PDFs.
Stevens also notes that due to SHA-1's Merkle-Damgård construction, both 2 PDFs can be extended (appended) with the same arbitrary data to produce longer versions hashing to the same digest.
Google will apparently publish the accompanying source code in 90 days from now (February 23, 2017), giving affected system suppliers some time to update their stuff.
It remains to be seen how software like git and service providers like GitHub will deal with this, especially in terms of backwards compatibility.
Linus Torvalds has issued a statement regarding git, noting that they will migrate to newer hashes in a compatible way, but that it will take time.
By the way, the "shattered" collision demo does not affect git (without modifications), because it uses SHA-1 like this:
sha1("blob " + <size in octets as text> + "\0" + <contents>)
You can get the git hash using git hash-object <file path>, even if the file is not in git.
In related news, Subversion seems to be the first real victim of this proof, causing repository corruption, thereby making the mentioned files practical exploits.
-- PREVIOUSLY... --
A 76-round collision was found by Marc Stevens.
Cryptographer Jean-Philippe Aumasson, co-creator of BLAKE and SipHash and initiator of the Password Hashing Competition (PHC), guesses an SHA-1 collision on the full 80 rounds will have been found by 2020.
According to ongoing research by Marc Stevens et al. published in October 2015,
... we estimate the SHA-1 collision cost today (i.e., Fall 2015) between
75K$ and 120K$ renting Amazon EC2 cloud computing over a few months.
By contrast, security expert Bruce Schneier previously projected the
SHA-1 collision cost to be ~173K$ by 2018.
They also describe a collision attack for SHA-1's compression function.
There is an example in Collision Search Attacks on SHA1 paper by Wang, Yin and Yu, from 2005, but just for weakened, 58-round version of SHA-1. (The full, official SHA-1 performs 80 rounds.)
3 A collision example for 58-step SHA1
h₁ = compress(h₀,M₀) = compress(h₀,M'₀)
_____________________________________________________
h₀: 67452301 efcdab89 98badcfe 10325476 c3d2e1f0
_____________________________________________________
M₀: 132b5ab6 a115775f 5bfddd6b 4dc470eb
0637938a 6cceb733 0c86a386 68080139
534047a4 a42fc29a 06085121 a3131f73
ad5da5cf 13375402 40bdc7c2 d5a839e2
_____________________________________________________
M'₀: 332b5ab6 c115776d 3bfddd28 6dc470ab
e63793c8 0cceb731 8c86a387 68080119
534047a7 e42fc2c8 46085161 43131f21
0d5da5cf 93375442 60bdc7c3 f5a83982
_____________________________________________________
h₁: 9768e739 b662af82 a0137d3e 918747cf c8ceb7d4
_____________________________________________________
Table 2: A collision of SHA1 reduced to 58 steps. The two
messages that collide are M₀ and M'₀. Note that padding
rules were not applied to the messages.
Not exactly SHA1 collision,
but there are collisions of PBKDF2-HMAC-SHA1 message digest authentication code.
For instance, PBKDF2(SHA1, password, salt, iterations, dkLen) of the two passwords plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd and eBkXQTfuBqp\'cTcar&g*, salt hunter2, 4 iterations, provide the same value (35d1c8f259129dc800ec8e073bb68f995424619c for dkLen 20).
In fact, it is trivial to find such collisions for strings longer than 64 bytes.
Another collision example (Python3):
>>> import hashlib, binascii
>>> def pbkdf2sha1hex(x, salt, iters):
... h = hashlib.pbkdf2_hmac('sha1', x, salt, iters)
... return binascii.hexlify(h)
>>> pbkdf2sha1hex(b'http://stackoverflow.com/questions/3475648/sha1-collision-demo-example/31136714', b'NaCl', 1000000)
b'20177527e04e05d5e7b448c1ab2b872f86831d0b'
>>> pbkdf2sha1hex(b'\x8c\xbf8\x94\xbc\xf4\xbe\x90xT,r\xbc\x03\xd1\xed\xd9\xea\xfb\x9f', b'NaCl', 1000000)
b'20177527e04e05d5e7b448c1ab2b872f86831d0b'
Please note that the same "problem" applies to PBKDF2-HMAC-SHA256 as well:
>>> h1 = pbkdf2_hmac('sha256', b'http://stackoverflow.com/questions/3475648/sha1-collision-demo-example/31136714', b'NaCl', 1000000)
b"\xcf\xc5\xee\x15=\r\x0b\x0e\x89r\x9b\xe1\xb7'+\xa4'o\x98kn++u\x12\xec\xd9\xec\xea\xebL\xb7"
>>> h2 = pbkdf2_hmac('sha256', b'.\x83\xb0D\x93D\x9f\x162\xf3\xd4x\xb6\x1a\x9f-\x1f\xdb\xdc\xa4\x8f\xb3\x95Y5\xea\x99*\x97\x00V\x81', b'NaCl', 1000000)
>>> h1 == h2
True
It all happens, because from the PBKDF2 definition, for long strings, it holds:PBKDF2(hashalgo, s, ...) == PBKDF2(hashalgo, hashalgo(s), ...).
More info e.g. here: https://mathiasbynens.be/notes/pbkdf2-hmac
Related
I am writing an external bootloader for the STM32F730Z8 - (why? I need one windows code that can run the bootloader for the STM32, or use the STM32 to reprog a connected ATF1508 for my client). I've done this before, using info in AN3155 and AN2606. On lesser CPUs, this has had no difficulty (i.e. STM32L4P5). In this case, I try the same:
1-cycle \RESET & BOOT0 to boot to supervisor mode
2-autobaud successfully
3-send 0x00 to get the list of commands, successfully
4-send 01 to get the version and protection, successfully (vers 49, rp and nt both 0)
5-send 02 to get chip id (0x0452), successfully
6-send 0x73 to write-unprotect flash, successfully (i.e. receive back two ACK)
7-send 0x44 to begin an extended erase (intending only to erase sector 0).
This is where it fails. I get neither ACK nor NACK - it just times out. I don't even get to the second half of the extended-erase command where I send it the sector info. (On the STM32L4P5 it succeeds here easily and goes on to finish erasing, then to write code successfully.)
I've tried very long waits & repeat loops to wait for the ACK (many minutes). From past experience this should be fast, it is only the second stage where I tell it how much flash to erase that takes any significant time.
I've inspected the protection option areas of memory, at 0x1FFF0010, 0018, and they are unprotected, as per factory defaults.
I'm communicating over an FT231XS-R, using the D2XX driver calls. I can mess with the baud rates and such, but that only prevents it from autobauding...and we're doing that fine (9600/8/1/E). I've played with the D2XX SetTimeouts - if set too hasty that only screws up earlier commands. I'm wired to a 20 MHz crystal, and the application runs at 200 MHz, but my understanding is that the bootloader just runs at the internal RC clock rate.
I'm certainly missing something stupid, but I didn't see it in the documentation. Help?
Jeff Casey / Rockfield Research Inc. / Las Vegas, NV
Fixed, disregard.
The fineprint of AN3155 clued me in. On the description of the Write Unprotect command, it says that a system reset will be performed after completion. How did I miss this on the STM32L4P5? I just didn't read it. But why did it work then? In the really fine print next page, in a footnote to the flowchart, it says that they were just foolin'....system reset is only called for some (..list omitted..) and for other STM32 products no system reset is called for.
My earlier success had the following sequence:
reboot-supervisor
autobaud
get
gvrp
gid
wpun
xerase
wpun
write
verify
reboot-user
obviously that doesn't work for the F730. what works is:
reboot-super
autobaud
get
gvrp
gid
wpun
reboot-super
autobaud
get gvrp
gid
xerase
reboot-super
autobaud
get
gvrp
gid
write
verify
reboot-user
(obviously I can skip a few of the repeated steps, like get-id, but basically it needed a reboot and re-autobaud.)
note that i had to reboot-super a 3rd time...this was because the write attempt timed out after the xerase unless i went through the whole sequence again. funny, though, the spec doesn't say anything about resetting after an erase. i cross posted this question on the STM32 community site, and I'll do the same with this answer and ping them on this.
Thanks for reading, cheers. Jeff
I'm running a security code analysis with Kiuwan on one of my Swift libs and I got one issue marked as hight vulnerability that says exactly what the title read and it's point me out this portion of my code:
53 public let data: Data
54 public var base64String: String {
55 return data.base64EncodedString()
56 }
The line 55 to be precise, witch is the Swift built in base64 string encoder from Data
Any Idea of what can I do in order to fix that vulnerability ?
If you are NOT doing encryption (wanting to perserve the confidentiality and integrity of data) then you have a false positive here. Static code analyser tools meant for security scanning are generating false positives in huge amounts. You need to dig through, understand the context and decide whether it is a bug or not yourself.
If you are doing encryption here, then it is obviously wrong.
When I set risk=3 and level=5, sqlmap takes a long time and about 1 hour to finish the task, its really tedious, I am a newbie to Penetration Testing, kindly help me.
python sqlmap.py -u "Application url" --dbms=MySQL --threads=10 -time-sec=10 --level=3 --risk=2 --cookie="PHPSESSID:1r4fk7m10s3sj0nkbgdu1a48v0" --batch -v2 -o --keep-alive --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" --no-cast --no-escape --tamper="space2comment,between"
Sometimes SQL injection is very slow and tedious (like if it requires time-based blind SQLi).
In your case, it looks like you are using -time-sec=10, which from the output of the help command is: Seconds to delay the DBMS response. So, you appear to be artificially delaying the response by 10 seconds per request. If that is necessary, of course it will take forever. If it isn't necessary, then, well... take it out and it should finish (at least) twice as fast.
Also, keep in mind that SQLi can be very noisy, and could get you caught on a pentest. Often, slow and steady is preferred.
setting higher risk and level values increases the number of attempts with different added attacks on the parameter. You should start with medium values a.ka. level=2 risk=1..etc..and then increment if it doesn't work. As the other user pointed out...sqlmap is very noisy. In a some Databases ..it will actually leave behind all the attempts as entry into the table rows.
We're making use of the newly added MessageSummaryItems.PreviewText feature. Thank you!!
On issue is: sometimes the PreviewText contains HTML links? From reading through the source I see this in ImapFolderFetch.cs
var body = message.TextBody ?? message.HtmlBody;
So this is saying: use the Plaintext version, if it exists, then use the HTML version?
Therefore if I see links in the preview, I can assume no Plaintext version is available?
Our problem with this is:
If our message only has an HTML version, We could strip the links from the message in our code, but there are only 256 characters of it. In many cases, there will be nothing left to display.
As per your TODO: Using the CONVERT extension would be a better approach but, as far as I can tell its not supported by Gmail?
A fall back would be:
If we could set the preview length for both HTML and Plaintext individually, then we could say, If you only have an HTML version give me 1K of it and i'll strip out the links on the client.
Thoughts?
Very few IMAP servers support the CONVERT extension which is the main reason I didn't implement it.
The PreviewText feature is an attempt at adding a convenience feature to fetch the first 256 bytes of each message body in batched requests in order to minimize latency, but no matter what I do, it's not guaranteed to be useful (since there could be a ton of markup before any real text is included in HTML).
If I were to split text and html messages into 2 different batches so that I could request different sizes for each, then it would be less efficient and might take significantly longer to fetch, so I'm not sure if it's really worth it. The less I'm able to batch at a time, the less useful the feature becomes compared to implementing your own loop over the list of messages and downloading your own specified chunk size. one message at a time.
My suggestion would be to use the PreviewText feature and for the rare messages where the 256 bytes isn't enough, perform a folder.GetStream() on them.
I'm collecting 802.11 packets using scapy on Ubuntu 16.04 (4.4 kernel). The RadioTap headers for my packets have the following present flags:
present=TSFT+Flags+Rate+Channel+dBm_AntSignal+b14+b29+Ext
Given the description of RadioTap, I would expect Channel to start on the 10th byte following the header and preceding fields (8 for TSFT + 1 each for Flags and Rate). Channel has an alignment of 2, so there is no need for padding. Yet this is what is in the undecoded portion of the packet:
notdecoded=' \x08\x00\x00\x00\x00\x00\x00f\xc0 \x02\x00\x00\x00\x00\x10\x02l\t\xa0\x00\xa9\x00\x00\x00\xa9\x00'
In this case the channel number actually appears at bytes 18-19 ('l\t' = 2412), and im not sure exactly what byte contains the dBm signal strength.
Anyone have an idea as to what i'm missing?
Found the answer after digging into the spec a bit deeper:
Scapy doesn't parse extended headers as signified by bit-32 (though it did tell me about them by stating +Ext above). Those extra headers are stuffed on the front of 'notdecoded' section of the packet. I think scapy should, at minimum, remove those extended headers from not-decoded to avoid future confusion.
In this particular case there are two extra 32 bit extended bitmap headers, accounting for the extra 8 bytes.
If someone wants to write an answer up with more detail, ill accept it, otherwise i will clean this answer up and accept it for perpetuity.