IETF Logo Mail Archive

Re: [Dcrup] rsa-sha1 usage

Eric Rescorla <ekr@rtfm.com> Tue, 13 June 2017 15:09 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DDA4131A9E for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 08:09:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MgrUkp4NSw7N for <dcrup@ietfa.amsl.com>; Tue, 13 Jun 2017 08:09:23 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77F06131975 for <dcrup@ietf.org>; Tue, 13 Jun 2017 07:54:23 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id e142so43240065ywa.1 for <dcrup@ietf.org>; Tue, 13 Jun 2017 07:54:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=TpdN3FC6IIxYJr4ixo0ZtjzQpHXlfQpsomvLWzZknis=; b=wtN/x80mVUf8szAgB22awnPc1fbd5LRBlnFVxM6XctyXUR3ewRISvGQpyHcEgjfrtk Z6q2UG0xM/maxcqdCQBXzMvJEIQjdbJ5H2gDqaclb29jnXq0a/XDOelv+JzQ3PFl8tJW miX9M5RacaUTphtI0iqxJJtwNtRC2DagtvTGxrMPmQd+M81yUr7nQaObLjhtLlj/ft+B r4Ifan12//wQI+oWBQN3vpkEk7NqZrdIU8YrlpD6Xv0+kubt+BMk3AWZk8WWNPhatiLe pwPZKMOd5VPu6Tf4CZMhJ258HCRbbaRKavLvjaROJcsPsKeEwmzeyaAM3WUCcW8dONLn 1UqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=TpdN3FC6IIxYJr4ixo0ZtjzQpHXlfQpsomvLWzZknis=; b=GVH4uUsom7+Y0KgiHdCzI9jqQvC0OBv/dvPUhAvZg2coQf5d1Mi4y0qiM1iTUYTHsj 7XztqOCyZPo7QON9FXTMqL10Qi5purlk/b3Bh5OdB6TU1tnt3GcL+GQ78VOAFGGBv9E7 TZs5SSEZ5+M1lkaFxn+1DHvJJt7O+5e/EZr2076HVVpZMN58K2LJEuWhWcoOUGq3A5tp CF4XQfTencOZhacihh16UwrMtHP/ipPdb5O9hXe9JcBb7wSmB7VI0nrcL9uj7XJX3a9t 7dFK1P74kIv6q2q4Bl747krUZRRDjmNU8W3pVBH2DU586PXr+aXHQ5tRNVvuNxku9Tzg 6ObA==
X-Gm-Message-State: AKS2vOxSrUUM/7Z8oExGLShBcH0EuzyO37HsBPKa3tMl9DNg5lOne+SB Zd1Xw7UIkZNArXH0508nnuqepxjptVbzBSY=
X-Received: by 10.129.109.4 with SMTP id i4mr3665656ywc.3.1497365662664; Tue, 13 Jun 2017 07:54:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.144 with HTTP; Tue, 13 Jun 2017 07:53:42 -0700 (PDT)
In-Reply-To: <aa52134a-ac20-bd70-8834-1598a8eaa536@bluepopcorn.net>
References: <m38tkw53bd.fsf@carbon.jhcloos.org> <CABa8R6s6rzc+Ky8sLWcK7NtforSksEhNRkWVeF=k1v8GC80knw@mail.gmail.com> <m3wp8gpx20.fsf@carbon.jhcloos.org> <CAOj=BA2O+Hf2VGOtbmnqY2M5J9u8uJ7wm7SxEW551SXBwDdanw@mail.gmail.com> <5bf52517591d4950aec335d31bcf3631@usma1ex-dag1mb1.msg.corp.akamai.com> <aa52134a-ac20-bd70-8834-1598a8eaa536@bluepopcorn.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 13 Jun 2017 15:53:42 +0100
Message-ID: <CABcZeBPrQzcL-ESzCuaQ4RAL6HywRUWoQxisVAGp3S_2-wenng@mail.gmail.com>
To: Jim Fenton <fenton@bluepopcorn.net>
Cc: dcrup@ietf.org
Content-Type: multipart/alternative; boundary="001a114dd1846c37ba0551d89c48"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/Hw0HNGcx8hNhdCzfqHbnLzivvwM>
Subject: Re: [Dcrup] rsa-sha1 usage
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2017 15:09:26 -0000

Well, this would require a second preimage. My sense is that nobody is
close to that at all with SHA-1....

-Ekr


On Tue, Jun 13, 2017 at 3:41 PM, Jim Fenton <fenton@bluepopcorn.net> wrote:

> On 6/13/17 5:05 AM, Salz, Rich wrote:
>
> As a newcomer to DKIM (I come from the crypto side of things) I am a bit
> confused.
>
>
>
> Certificates last for a couple of years, and so there was a strong
> motivation to move off MD5 and then SHA1, because of the concern that
> someone would find a collision and create a bogus certificate during the
> original cert’s lifetime.
>
>
>
> But I’ve heard that DKIM “trust lifetime” is much shorter.  Is it?  What
> is the expected lifetime for relying on a DKIM signature?
>
>
> The expected lifetime is on the order of a week (message delivery
> timeout). But the signature doesn't have an expiration time, so if someone
> can construct a second message with the same hash, they could replay the
> signature, potentially much later if the public key is still in DNS.
>
> IMO it seems very unlikely, even with the known weaknesses in SHA-1, that
> in the near future someone would be able to construct such a message that
> would be exploitable by an attacker (e.g., spam or a phishing attack). That
> will likely change in the future, so we should tell signers to stop using
> SHA-1 ASAP and tell verifiers to stop accepting those signatures sometime
> later.
>
> If anyone knows something yet more serious about exploitability of
> rsa-sha1, please set me straight.
>
> -Jim
>
> _______________________________________________
> Dcrup mailing list
> Dcrup@ietf.org
> https://www.ietf.org/mailman/listinfo/dcrup
>
>

v2.30.2 | Report a Bug | By Email | System Status