LITIGATION SUPPORT TIP OF THE NIGHT

A paper was published this month, Gaëtan Leurent and Thomas Peyrin, SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust, available at: https://eprint.iacr.org/2020/014.pdf , which demonstrates a viable way to perform a collision attack on SHA-1. This is an update to the paper discussed in the Tip of the Night for May 17, 2019. Their technique makes security protocols such as SSH (the secure shell network protocol) that use SHA-1 for handshake protocols vulnerable. With handshake protocols, a control protocol uses one of a list of supported hash functions. The handshake sets a range of parameters, such as a transfer rate, before normal communication begins between two devices. The new paper shows how PGP encryption keys can be created with different IDs but the same SHA-1 hash values.

This update indicates that any protocol which supports SHA-1 can be successfully attacked even if it also uses other hash function. Leurent and Peryin now claim to prove that a man in the middle attack can force two communicating devices to use SHA-1.

Leurent and Peyrin show how a collision can be accomplished for the cost of only $11,000 of computing power. "This cost will decrease over time and in a close future will be so cheap that any ill-intentioned person could afford it." Id. at 28. The paper discussed here last year mentioned engineering a collision attack for $110,000.

As discussed in the Tip of the Night for December 20, 2018, at midnight tonight the California Consumer Privacy Act will become effective. in addition to requiring electronic devices to have unique passwords, the law will enable Californian residents to access their personal data that companies have collected; instruct the companies to delete the data; and restrict the sale of the data. Since California is such a large state, it is widely expected that companies will allow the residents of any state to opt out of the sale of their personal information, in order to make compliance with the California law simpler.

Only companies with more than $25 million in revenue; those which collect the data for more than 50,000 people; or those which make more than half their income through the sale of personal data have to comply with the new law. The law specifically requires that companies post a link on their home page named, "Do Not Sell My Personal Information”. See this example:

. . . clicking on this link leads to a form a user can fill out.

Last month, TrialWorks, which hosts the electronic records for thousands of law firms in America, fell victim to a ransomware attack. As a result, lawyers have already had to request extensions on filing deadlines. The data breach may have been caused by a disruption to Outlook service. The incident highlights the hazards of relying on cloud based records. TrialWorks allows firms to retain ownership of data. Its Uptime Practice not only allows for the hosting of data, but also software. Microsoft Office; Exchange; and SQL server are included. Law firms need not have servers on their premises. In order to function well, 512 KBs per second per user are required. TrialWorks’ case management software is among the most widely used in the legal industry, but its recent troubles highlight broader vulnerabilities in the legal world.