"if a malicious attacker could generate the same fingerprint with a different
input stream, the cloned fingerprint--known as a hash collision--would certify
that software with a back door is safe to download and execute."
"MD5's flaws that have been identified in the past few days mean that an
attacker can generate one hash collision in a few hours on a standard PC."
The SHA-1 algorithm relies on a computer executing a routine 80 times in an attempt to create a unique fingerprint. Biham said that he had been been able to duplicate the fingerprint for 36 of those 80 rounds.
If vulnerabilities similar to those identified in SHA-0 are eventually discovered in SHA-1, that would mean that attempts to forge a fingerprint would be accelerated by about 500 million times--putting it within theoretical reach of a network of fast PCs.
isn't that supposed to happen some day ?
it is imposible to generate a 'unique' key that has fixed lenght
from a un variable lenght input since varialbe lengh input (key)
can have infitive values while a fixed size figerprint compinations
sometime end
btw its not so 'unsecure' when someone modifies key need to check first
to verify or not and this take time lots of time ,
also to modify an signed executable with somethink else and this 'else'
provides the same signature is again very theoritically and practically seems to proved only in theoritical level (like these science prove)
anyway there is no uncrackable protection and never will be (As history has proves us again and again)
