Re: [DNSOP] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Wed, Jan 08, 2020 at 08:50:05AM -0800, Ólafur Guðmundsson wrote:

> Due to the structure of DNS records this is hard to pull off,

Yes, at present.

> The only RR types that are suspect are the ones that can have 1440 of
> "garbage" at the end

Yes, at present, but the attacks may continue to improve, perhaps
requiring fewer attacker supplied blocks to reach a collision.

> DS has fixed size so I it can not be used unless someone figures out how
> select blocks that include valid DNS record envelopes.

Yes, while the block count to go from a chosen prefix to a collision is
substantially more than 2.

> TXT will work if the attacker can encode lengths of the individual strings
> into a valid record ==> but who cares about TXT abuse

This is not correct, because with chosen-prefix attacks the two messages
that collide need not share the same owner and type (that's the whole
point of chosen-prefix, the initial segment of the second message can be
freely chosen by the attacker).  Therefore the TXT record can have the
same signature as some more important record, perhaps a fake DNSKEY
RRset for the zone apex!

> DNSKEY is with RSA is good candidate for this attack as any DNSKEY RRset
> for SHA1 algorithms can be attacked by adding a key that sorts to be last
> and is larger than 1440 bits.

But the real DNSKEY RRset is not attacker controlled, whoever creates
the zone's DNSKEY RRs can already subvert the zone content in whatever
way they see fit.  Legitimate signatures of DNSKEYs are not at risk.

> Thus anyone that is using RSA algorithm < 8 should think about key or
> algorithm rollover

Yes, on this we can agree, even though the risk is lower for "leaf"
zones that only sign their own content.

-- 
    
    Viktor.