Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures

vedaal@nym.hush.com Thu, 23 January 2020 23:08 UTC

Return-Path: <vedaal@nym.hush.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FCCC1200BA for <openpgp@ietfa.amsl.com>; Thu, 23 Jan 2020 15:08:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hush.ai
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zdkxr6Q607VV for <openpgp@ietfa.amsl.com>; Thu, 23 Jan 2020 15:08:12 -0800 (PST)
Received: from smtp5.hushmail.com (smtp5.hushmail.com [65.39.178.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2E5312008A for <openpgp@ietf.org>; Thu, 23 Jan 2020 15:08:11 -0800 (PST)
Received: from smtp5.hushmail.com (localhost [127.0.0.1]) by smtp5.hushmail.com (Postfix) with SMTP id 4BCD6202AC for <openpgp@ietf.org>; Thu, 23 Jan 2020 23:08:11 +0000 (UTC)
X-hush-tls-connected: 1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=hush.ai; h=date:to:subject:from; s=hush; bh=YqvxG0Du+o8YA1gfMKeM8Ea5pmjDgkc7ZC48tr58ZC4=; b=OXRtWomSx0v8nMiRadj9M25wUa7Oe3T8Z/XsXJlZEU8HUdHrLUo+u9t4gZCMFraAnxMvp7iqXou/DNgXR34SzdqLI5pPNpsRWSboMC51FQL96lN7Vb/xLWvhNsj3MTbNWykzdU61yqXwxUZ0HE90Nh8FuYhDwXSiUMz2WCAETrJHWdn5l3YzGUMyZfd7jXGoJ5XtgGvudl9sO6aakfnWWOJ5siWeC+350+dHKsuH6R67esdBesRe2MI6a4YGJ5IBSUSx6KiTAN/lJ3zaAs2uDXI0eExecnYBXBuIWUCrDOrjAdgrVU877X/baEXNwwigFho9PVwzsYlXHHHIA6h7TA==
Received: from smtp.hushmail.com (w3.hushmail.com [65.39.178.62]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp5.hushmail.com (Postfix) with ESMTPS; Thu, 23 Jan 2020 23:08:10 +0000 (UTC)
Received: by smtp.hushmail.com (Postfix, from userid 99) id D979DC0640; Thu, 23 Jan 2020 23:08:10 +0000 (UTC)
MIME-Version: 1.0
Date: Thu, 23 Jan 2020 18:08:10 -0500
To: "Kai Engert" <kaie@kuix.de>, openpgp@ietf.org
From: vedaal@nym.hush.com
In-Reply-To: <e4dc8c25-2282-17a8-7e64-cee55f43be84@kuix.de>
References: <d8321b24-8836-2702-6b01-242b4cab932f@rub.de> <e4dc8c25-2282-17a8-7e64-cee55f43be84@kuix.de>
Content-Type: multipart/alternative; boundary="=_8d7721bce9998859d68dd6e9f790c56a"
Message-Id: <20200123230810.D979DC0640@smtp.hushmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/H9pWKlINt6aQ5cOA5-9hURqrY7g>
Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 23:08:13 -0000

On 1/23/2020 at 5:57 PM, "Kai Engert"  wrote:On 22.01.20 15:31, Marcus
Brinkmann wrote:
> * The authors could have easily created colliding public keys with
> identical (160 bit SHA-1) fingerprints, at the cost of 45k USD.
> Although I don't know about any attack made possible by owning such
a
> pair of keys, the pure existence of a fingerprint collision could
cause
> problems in some appliations, triggering potential bugs in code that
> assumes fingerprints can never be identical.

Does this mean, anyone can create a key pair that has the same 
fingerprint as I have on my business card, by spending that amount of
money?

=====
I have not checked the original paper, but I *think* they were talking
about making a key collision, 
with a given 160 bit SHA-1 fingerprint,
but *without* the same name, and e-mail address,
which would be much less of a practical threat.

Anybody, please correct, if I am wrong, and they did include the name
and e-mail in the proposal for a successful collision.

Thanks,

vedaal