Re: [DNSOP] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1

Viktor Dukhovni <> Wed, 08 January 2020 17:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D9D06120842 for <>; Wed, 8 Jan 2020 09:12:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iLbMs5AROkV3 for <>; Wed, 8 Jan 2020 09:12:43 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C681012082F for <>; Wed, 8 Jan 2020 09:12:43 -0800 (PST)
Received: by (Postfix, from userid 1001) id BBB772AEF69; Wed, 8 Jan 2020 12:12:42 -0500 (EST)
Date: Wed, 8 Jan 2020 12:12:42 -0500
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <>
Subject: Re: [DNSOP] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jan 2020 17:12:46 -0000

On Tue, Jan 07, 2020 at 11:18:08AM -0500, Viktor Dukhovni wrote:

> This does not mean that staying with algorithm 7 (RSASHA1) is a good
> idea, but may buy more time to migrate in an orderly manner.

A thread today on dns-operations seems to suggest there's some confusion
about which uses of SHA-1 are at near-term risk of compromise, and which
still are still safe.

Executive summary:

    Zones signed with algorithms 5 and 7 SHOULD migrate to algorithms 8
    or (IMHO preferably) 13.  Especially when importing customer data or
    delegating child zones not under your control.

    Perhaps a draft is warranted that strengthens the advice to avoid 5
    and 7 in

Maybe I can shed some light on this, and make some recommendations.

    - There are still no known pre-image or 2nd pre-image attacks on
      SHA-1 where given a digest an attacker could create a different
      message with the same digest.

          Users of SHA-1 in a protocol that requires only pre-image
          resistance should still migrate to a stronger hash function
          (e.g.  SHA2-256), but they're not immediately at risk.

          For example, the use of SHA-1 as a digest type in DS records
          is not presently at risk, this only requires 2nd pre-image
          resistance.  Also the use of SHA-1 in NSEC3 records poses no
          new risk.

    - There are still no known attacks on SHA1-HMAC, indeed even
      HMAC-MD5 (IIRC) remains unbroken.  But neither are recommended
      in new applications.

          Users of SHA-1 in a protocol that employs a strong secret key
          with HMAC for data integrity should still migrate to a stronger
          secret MAC function (e.g.  HMAC-SHA2-256), but they're not
          immediately at risk.

    - Collision attacks, indeed "chosen-prefix" collision attacks on
      SHA-1 are now somewhat practical (at around 2^64 CPU cost).

          This substantially weakens SHA-1 when used for signing hashed
          content, where a long-enough portion of the content
          (especially the tail) is contributed by an outside party.

          The weakness is particularly significant when signatures are
          over "data at rest" (certificates, DS records, ...) rather
          than say TLS handshake messages, where the attack would have
          to be performed in real-time.

          Users of SHA-1 signatures over data that is not entirely
          *controlled by the signer*, should promptly begin moving to
          new signature algorithms that use SHA2-256 or similar.

In the context of DNSSEC what this might mean:

    - TLD and other public suffix zones that sign DS RRsets for
      child zones they don't control should phase out use of
      algorithms 5 and 7.  In the meantime DS record RDATA
      should be validated to have the expected hash value length.

    - Zones that consolidate and sign DNS records for multiple
      customers, without delegating a separate zone for each customer
      are at greater risk, as e.g. the longer free-form RDATA of
      TXT records makes a more attractive target for chosen-prefix
      attacks than DS record hashes.

    - Zones that only sign *their own* data, with no input from
      untrusted outsiders are not immediately at risk from the
      recent attacks, but should nevertheless plan to move away
      from algorithms 5 and 7 (to 8 or 13).

    - Perhaps a SHOULD NOT rather than NOT RECOMMENDED for DNSSEC
      Signing, while for now DNSSEC Validation continues to require
      support for 5 and 7, which are still common:

      even among TLDs[1], with e.g. .ORG signed with algorithm 5.



  -  274 TLDs sign with SHA-1 based signature algorithms 5 or 7
  - 1102 TLDs sign with SHA2 based signature algorithms 8, 10 or 13
  -    1 TLD  (.bg Bulgaria) is "mixed", it has both
              algorithms 5 and 8 in its DNSKEY RRset.