Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures
Marcus Brinkmann <marcus.brinkmann@rub.de> Thu, 23 January 2020 15:57 UTC
Return-Path: <marcus.brinkmann@rub.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 288FC120118 for <openpgp@ietfa.amsl.com>; Thu, 23 Jan 2020 07:57:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOjzPc8OYZEx for <openpgp@ietfa.amsl.com>; Thu, 23 Jan 2020 07:57:35 -0800 (PST)
Received: from out3.mail.ruhr-uni-bochum.de (out3.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:8:1001::8693:359b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 261AB120113 for <openpgp@ietf.org>; Thu, 23 Jan 2020 07:57:35 -0800 (PST)
Received: from mx3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out3.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 483Rk24cXDz8SPN for <openpgp@ietf.org>; Thu, 23 Jan 2020 16:57:30 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1579795050; bh=7Xag1AL4j2YLBpMDZbJUkLHva1iM9/YK+vPFh0wJGqM=; h=To:References:From:Subject:Date:In-Reply-To:From; b=j9xgY5J7Mc6Nw6CQMtnW61gR3hLi2TtiJOjnNM1L6s9HJqgT9brCBd62nZdUS/6IU mSmeUHtT9uAUgkoSHBfgqM/14gNtqI9n58i62WYKf/DkF0cdtkNPY/c4jw+YFbyzTi tgDpqkj1I0AIIvpqBjPqX7EuLZg1gX0jpcnWs91c=
Received: from out3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx3.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 483Rk235Khz8SPC for <openpgp@ietf.org>; Thu, 23 Jan 2020 16:57:30 +0100 (CET)
X-Envelope-Sender: <marcus.brinkmann@rub.de>
X-RUB-Notes: Internal origin=134.147.42.227
Received: from mail1.mail.ruhr-uni-bochum.de (mail1.mail.ruhr-uni-bochum.de [134.147.42.227]) by out3.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 483Rk22xQnz8SP5 for <openpgp@ietf.org>; Thu, 23 Jan 2020 16:57:29 +0100 (CET)
Received: from [IPv6:2a05:3e00:9:2100:ec74:ede5:536c:2940] (dyn-0492c6355ede47ce00129000.nds.ipv6.ruhr-uni-bochum.de [IPv6:2a05:3e00:9:2100:ec74:ede5:536c:2940]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 483Rk14CgwzyvB for <openpgp@ietf.org>; Thu, 23 Jan 2020 16:57:29 +0100 (CET)
To: openpgp@ietf.org
References: <d8321b24-8836-2702-6b01-242b4cab932f@rub.de> <878slzdwb2.fsf@mid.deneb.enyo.de>
From: Marcus Brinkmann <marcus.brinkmann@rub.de>
Autocrypt: addr=marcus.brinkmann@rub.de; keydata= mQINBFZU6WABEADoVonKbB/tV0v25cm39DaSZyN7it70RhTZHLESbpDiHCwiAMi74MK/HB/q VR9LZDkTDF1x5xUnxxMHa2rpxO329dlk5dQFq1iELxIC/yBCEh5HMLT5MkWqwb8UkINYpaFU csQdPvdC2RzZ4Wt5/xX/6mvSnA4g7hSmUKwIiDX6489Fj5jHK3i0UQFnzKty3O7mqSbedTHs ym2q6fPcIlEOvU6unzxJRK4bgfW2NBM6aMqgLeQkKYIkd1Q/OXEWCXC4hQJepak+n34ChIrV RRHIBJ0GHRkEgHQgQUqPLS0fJlMYCaSZFmOAaqmigxVn1ErG3jTnFQPbPkfE5SCssFP2grNV N1ikJzOEpBLYA/4pOaJzSnZ0xx9aKPdUsyBksKmCsLQNiRt4ZTNFpJ2DJ8NbXYAFkrcu15og lrB//CVQj3CfkzUbpyfcwJHAho1K6XaPybI14znuorTJF3ml0qDd3XDkcmnF58s4hfvGHQtz +CEW+85gUF+T9jKLpwNGcNdBhbvdE6d3cSbR7dXeZsxiA4AmqqEhH6SnVmkSqmhX4+k6RksE MrHJnzefTyA4kXIR2QvD60nZXqta35VhhCzIcpkUpxcwABBR7C8nCxiGV7wNmGECgHv+Zl/O hQhWF1Ld1G93xCg7D+Nz0RerRdwtBOUatmCp+2HRTcRXNOW8jQARAQABtCNNYXJjdXMgQnJp bmttYW5uIDxtYXJjdXNAZ251cGcub3JnPokCTgQTAQgAOBYhBDyw6EQWrVL34YZUGIiwjVpX tiFABQJYvsfeAhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEIiwjVpXtiFAYdQP/jvj o7gm3tcDn8E2Pj2aOd8ajpKEajc3GZ4iDDXngTSPjvuQwB2PgUtfpzpOZW065OMXzMi3+XN9 ZY77Vp4xKhVh2+wxXd3b7jJArTfEave4RfVGlkWJXTrg2zbbwad/suZUT1Nqla4j0S6X7mtR oDVUFVivl7/9dGF4Ctldzms9uE0YktQs9xDl72igOhJX+RtGmM1rTgyncaSPam8KBQPYvLA+ bdTao/bB5wsW7PFBv2r2QOZthe/FGWbWanLuj2nQwdOvfr8RXKabTOzqPmBZwWCNSIfkzjCK m2KzpDkXghiJfK9jOgBSE4tGPieInZj6RSB2r848Uykshmwp0tFFMLIuJbn24czCLRwOuKbg IiWR9SzgENJwDqalBOjOS9jEGVsCzM0YctY6gMURbfv7RNevI7Q4rS6Tw4PmgCN4e8B69O5n Z0Ipf+brUfWL9rcsd9+Ugm8fpK8vykQpcRqYt+pSo5l6acZGgAa2AA8cxh87qbWQihB0ZiRo 2EH0t2DF8NDo32XHnQcuOR0R7JxhcJ3XCUaJr0SNSS3j4BVSE7Yso8T2hP7JdpwdFU88SUgC lX7DJspHtOYAIFldejMaFN3BDVx8+SgqDyEpGCHH04p3X95Wsev8ThRNpQ0dPqheOj2UKJWy ceddqC3VkGUpuTS9Q7xQBdwsX1Inp06ruQINBFZU6WABEAC3meKoeQn4r37Z1WCvl/lRVgwY LIEwGX94WCZODxPPEy2zTWStj45yv1ZrSI0HyAqssZzXPelOFJzlM8M+iccxIMRgjnnGJJR0 YqYUdraf1Z2YQk/x2WjYNUg0blChdyeqwBhLAQKtnPOKkTPZBBGzPjsS+JeB8yN5r4vouFGM G+CmYFUy4oCmcmuUrdLm9NlzM5ituyTJsPG9CDO834e4qlZsNW/yEzyPsYDW0PxJxgEe/WjL sDJ0aiwaDhBpR8/i2FfEUTGXl+6wvdXR9lhddBoiUCVlNRu9jiKVxv2JVJepcZa9B/atJwcs DAkZJgnjP0qRybixx/wo14KromgWVBGwpZ89sFEgZF6HcxPMKuWtieIORzs9kb0jpMFi1hW9 xi60UBHikrpDG9MnwA35d1lg/9kUlrF1nqTnyoz43UxntlgQejl6JcBR2Poaaib3ZtCR34yx slFz4znXBermA2eEvusEmjYJlxPWozW18grbSYUr1tCmjvKZAIMrspVx37+WSm/4fy8Mq9iq hkIweFQM10GL+fRQOGJTpSY/KiGxmkaTPtj9iaovJOcGAjUzzreGhi4toIrWWULPNKS6vuV4 VgMBF4XxIcVqC9I43yzJ6/cYciwL9bxoWQ4EpHuIG3sewvOWbceeDO9j9DRSd9E6GX67Nzrr uDPXOoge2QARAQABiQIfBBgBAgAJBQJWVOlgAhsMAAoJEIiwjVpXtiFAHBwP/3x5953X/1jR 2AegR6oHSF0HAD8kMnKLP5cwLqrOzUpCwqzFGBCbYdvxrWG106jyvcZdUvtBSGd8n1FuE2Wr pQrKgNjdRG65cN2kduk/w66Oq57EqSuO/r6OnadG9hgVZ1YP/QUsL6n4oF7coD0CJiH98UyL w1yP3Em1ONX8ditvMVHNudVC1VoEN1BFjIX9VWqWoU843vPct9wKi6jLYHHAX3UpnEJtfqLH Cj554s+0yhMhoaAIfNQZWU9iKzldM6Y0j8DJ/YBSThhw9S/TX7mClhXArJ/iPJSr6FPhlQMM cZRQaSiQu1gDL76I5G03SkBWCnXbSpeNtTeMiSpsA58c8rpr2T4giCiV29FPgEj4We2/jBrB cwWA/XjSLE2RNOnF2G65dVxHAlaCc84lC2+bh9kVU+Tb+9YDWfHyNO+pNk/Lpaef2Kg6ScKm te6+wVkWQZFTU8mgkHZqFvQk29RnV02phRTM0ryvWWldNgf3vzztS3iyD3GrJCPcxjm24cAf lp+7JfQ4qV/ec598k++HI4r3SfmSFKFcsxh+073p+oVjs5kIHxM0SExdjKewLOE3BKQYjn1r 17xWXogKlIGbTEluQ4Odyh4n88/iA8ZLNPKjvjno7UuwBsZyJxdaTOXlQYt+ZRZNfIBSWqv0 U9fYtp9qPuy4vCfkycCucIgO
Message-ID: <99133cd4-cd9d-a364-2cd9-02f955096926@rub.de>
Date: Thu, 23 Jan 2020 16:57:30 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <878slzdwb2.fsf@mid.deneb.enyo.de>
Content-Type: multipart/mixed; boundary="------------2FE5771F39D01EA2B7AE2ECD"
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ALA2kmOdKNQhCoqOi40ok04RZFY>
Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 15:57:38 -0000
Hi, On 1/22/20 10:18 PM, Florian Weimer wrote: > * Marcus Brinkmann: > >> * Do not sign photo ids. In fact, photo ids are problematic in many >> other ways and should be deprecated and not be used anymore. Support for >> user attribute packets should be dropped from the standard. > > I expect that a similar attack would work involving non-critical > hashed subpackets in the private area. They should provide enough > wiggle room. You certainly can use hashed subpackets to get a collision, although the attacker would then need to control the content of such a subpacket during signing (which is not required by the setup in the paper). I have to add another point to the list of observations. From the paper: "We point out that the chosen-prefix collision is computed before choosing the UserIDs and images that will be used in the attack. Therefore, a single CPC can be reused to attack many different victims" Recommendation: It would be prudent for implementers to blacklist public keys starting with the same bits as the published colliding key for bob under https://sha-mbles.github.io/bob.asc. The author also describe an attack variant where the collision is made within the jpg, but this requires computing a new collision for each individual attack. They suspect that more variants are possible. Thanks, Marcus -- Dipl.-Math. Marcus Brinkmann Lehrstuhl für Netz- und Datensicherheit Ruhr Universität Bochum Universitätsstr. 150, Geb. ID 2/461 D-44780 Bochum Telefon: +49 (0) 234 / 32-25030 http://www.nds.rub.de/chair/people/mbrinkmann
- [openpgp] "SHA-1 is a Shambles" and forging PGP W… Marcus Brinkmann
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… Florian Weimer
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… Marcus Brinkmann
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… Kai Engert
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… vedaal
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… Marcus Brinkmann
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… Michael Richardson
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… Damien Goutte-Gattat
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… Michael Richardson
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… Michael Richardson
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… Damien Goutte-Gattat
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… Marcus Brinkmann
- Re: [openpgp] "SHA-1 is a Shambles" and forging P… Marcus Brinkmann