IETF Logo Mail Archive

Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 10 January 2020 01:44 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8655B120808 for <saag@ietfa.amsl.com>; Thu, 9 Jan 2020 17:44:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UdOdrLBZqr48 for <saag@ietfa.amsl.com>; Thu, 9 Jan 2020 17:44:42 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACE5D120131 for <saag@ietf.org>; Thu, 9 Jan 2020 17:44:42 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id DD50F2B1B57; Thu, 9 Jan 2020 20:44:41 -0500 (EST)
Date: Thu, 09 Jan 2020 20:44:41 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20200110014441.GK73491@straasha.imrryr.org>
Reply-To: saag@ietf.org
References: <A6C5B299-54AE-48E8-98BF-981C85B9D3BE@vigilsec.com> <CAH8yC8=DWfzTw=meTG0_jGDt_qDmw20khR_U1Z0df0R-K0hN6Q@mail.gmail.com> <CAMm+LwisLm78peKYk7N_C1y3f8vjRgOrf9Ut9XwGGZZ-vK5zFA@mail.gmail.com> <1578554217695.69920@cs.auckland.ac.nz> <CACsn0c=LENQtn_UA0vmr4kk8k-d609Ftxwzf7QKMbKVf_0u9vA@mail.gmail.com> <1578619724689.8862@cs.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1578619724689.8862@cs.auckland.ac.nz>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/FprSTdTtVYnUBKAxWZqjM2x1U1s>
Subject: Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 01:44:45 -0000

On Fri, Jan 10, 2020 at 01:28:41AM +0000, Peter Gutmann wrote:

> Again, this is just to understand how to mitigate problems for legacy stuff,
> not to try and prolong SHA-1 use indefinitely, but it would be good to
> understand where the exact risks for SHA-1 use lie.

In the DNSSEC space, it now seems a good time to emphasize the
deprecation (RFC8642) of algorithms 5 and 7 which sign with RSA-SHA1.

    https://tools.ietf.org/html/rfc8624#section-3.1 

the potential avenues for abuse are expored at:

    https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html

the attack is still comparatively expensive, and the attacks are
contigent on some additional operational practices, but it seems there's
enough exposure that is likely to only get worse, that it is much easier
to tell users to move along to stronger algorithms than try to explain
which use-cases remain safe, and which not.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email