3. SHA1 is broken, should I need to worry about MySensors security?

SHA1 is broken, should I need to worry about MySensors security?

  • Anticimex
    Contest Winner

    Recently, Google announced that it had succeeded in calculation colliding SHA1 checksums with "reasonable" effort and thus concluding SHA1 is now obsolete and insecure.
    MySensors security backend rely on hashes as well, but rest assured there is absolutely no impact for message signatures as they are based on SHA256 and not SHA1.
    For details on the cracking, see here.

    4
  • Nca78
    Hardware Contributor

    Great, no use to trash my stock of atsha 😄

    0 Anticimex 1 Reply
  • Anticimex
    Contest Winner

    @Nca78 indeed you don't need to do that. And according to Linus himself, we don't really need to worry about our git repositories being compromised either. And he is correct, as there is a difference in using hashes for content identifiers (like git) and security signing (like us).
    For an attacker to try to make a collision attack they need to

    1. Hack githubs security (or fool the core team)
    2. Design a collision that contains data that would go unnoticed in our repo.

    Both quite unlikely 😉

    0
Log in to reply
 

Suggested Topics

  • edoardoo


    Bug Reports  

    3
  • mfalkvidd


    Announcements  

    2
  • hek


    Announcements  

    109
  • hek


    Announcements  

    110
  • hek


    Announcements  

    584
  • hek


    Announcements  

    347

63
Online

11.4k
Users

11.1k
Topics

112.7k
Posts



Copyright 2019 Sensnology   |   Forum Guidelines   |   Privacy Policy   |   Terms of Service