[openpgp] SHA1 collision detection in OpenPGP
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 19 April 2022 15:47 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D9883A086E for <openpgp@ietfa.amsl.com>; Tue, 19 Apr 2022 08:47:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.316
X-Spam-Level:
X-Spam-Status: No, score=-6.316 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=uT2TrTA4; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=I/lZrSzJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BVCiuiXCzVHL for <openpgp@ietfa.amsl.com>; Tue, 19 Apr 2022 08:47:47 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BC993A0873 for <openpgp@ietf.org>; Tue, 19 Apr 2022 08:47:46 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1650383266; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=0BvPvv1t49tPzBxZfQ5BzuFbZYRsTEg1RTAmieVnOPw=; b=uT2TrTA4hktdA9wdeCLWjEuXrPPeSRP/OlH6hgIt/uG+b+raqQDjZVADrerpQl0/rQJW/ aGYyqH8J7tJ7jR/Dw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1650383266; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=0BvPvv1t49tPzBxZfQ5BzuFbZYRsTEg1RTAmieVnOPw=; b=I/lZrSzJ+aetWv4wPXcziquVWXgu54C2ZuGja43jBtS4GG+hw1PYNJUGbxmvAidsJ9DRJ yS5dvYMBLeyLcaz240kOwaCGLIT/n6Bgs+mWDxhDKQAZ01M7ZDD9qEpkaAw1p0oV77zVZUW k/9TrooS8sbBiG7tFFrar7ncqVHtUKfRC5xwMK90tQvKICf3cB8n0WNDTHyRrjj7tp8ZV/B a/Qb4KhwN3uT00hv2cOUbo0tIbuDbsR6oNzWaob1aKWXaEpmPmEliOgC3X+gDGv89DqRDOT ecOKyTPvMhwxxP7zG8cElcHnIkvFSroi11E2/wT57rs7x2TeWHpZva1Kqg5w==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 049C2F9AE for <openpgp@ietf.org>; Tue, 19 Apr 2022 11:47:45 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 239E5203AE; Tue, 19 Apr 2022 07:59:41 -0700 (PDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Tue, 19 Apr 2022 10:59:37 -0400
Message-ID: <87ee1tw23q.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/bxMsN9h3tyoPFbk3fzT0EiH31xA>
Subject: [openpgp] SHA1 collision detection in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2022 15:47:53 -0000
Hey folks-- In the editor's copy of the crypto refresh of RFC 4880, there's a new section about implementations can deal with SHA-1 when they encounter it. I wanted to send a heads-up to the WG about this text. The end goal of course is for SHA-1 to be gone, but we need to recognize that implementations will still be encountering data that uses SHA-1 for quite some time, and outright rejection of all SHA-1 isn't always possible. For example, SEIPDv1+MDC still embeds the use of SHA-1 and not everyone will be able to move immediately to SEIPDv2 and discard all old encrypted material. In particular, the upcoming draft gently suggests that when computing SHA1 in any OpenPGP context, an implementation MAY consider adopting a variant of SHA1 that is nearly identical, but detects known mechanisms for creating SHA1 collisions, and creates either an error or changes the output when they're detected. This is known as "sha1 collision detection": https://openpgp-wg.gitlab.io/rfc4880bis/#name-sha-1-collision-detection The full text currently is: 15.1. SHA-1 Collision Detection As described in [SHAMBLES], the SHA-1 digest algorithm is not collision-resistant. However, an OpenPGP implementation cannot completely discard the SHA-1 algorithm, because it is required for implementing and reasoning about V4 public keys. In particular, the V4 fingerprint derivation uses SHA-1. So as long as an OpenPGP implementation supports V4 public keys, it will need to implement SHA-1 in at least some scenarios. To avoid the risk of uncertain breakage from a maliciously introduced SHA-1 collision, an OpenPGP implementation MAY attempt to detect when a hash input is likely from a known collision attack, and then either deliberately reject the hash input or modifying the hash output. This should convert an uncertain breakage (where it is unclear what the effect of a collision will be) to an explicit breakage, which is more desirable for a robust implementation. [STEVENS2013] describes a method for detecting indicators of well-known SHA-1 collision attacks. Some example C code implementing this technique can be found at [SHA1CD]. [ informative references ] [SHA1CD] Stevens, M. and D. Shumow, "sha1collisiondetection", 2017, <https://github.com/cr-marcstevens/sha1collisiondetection>. [SHAMBLES] Leurent, G. and T. Peyrin, "Sha-1 is a shambles: First chosen-prefix collision on sha-1 and application to the PGP web of trust", 2020, <https://sha-mbles.github.io/>. [STEVENS2013] Stevens, M., "Counter-cryptanalysis", June 2013, <https://eprint.iacr.org/2013/358>. If folks in the WG have objections to this, or concerns about it, it would be good to hear! (and, if you are ok with it, or think it's wonderful, it would be good to hear that too -- we're not just looking for negative responses) --dkg
- [openpgp] SHA1 collision detection in OpenPGP Daniel Kahn Gillmor