IETF Logo Mail Archive

Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1

Watson Ladd <watsonbladd@gmail.com> Thu, 09 January 2020 16:46 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBC3512007C for <saag@ietfa.amsl.com>; Thu, 9 Jan 2020 08:46:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vvvlo480t8Kx for <saag@ietfa.amsl.com>; Thu, 9 Jan 2020 08:46:01 -0800 (PST)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 948B5120019 for <saag@ietf.org>; Thu, 9 Jan 2020 08:46:00 -0800 (PST)
Received: by mail-lj1-x234.google.com with SMTP id j1so7982726lja.2 for <saag@ietf.org>; Thu, 09 Jan 2020 08:46:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=S/30eO1y9D31f9PhLD0dyxF5gahRGPZKw5aC4TXfhxk=; b=OMEEz50MlBk+VeYZcKj94+CRn3E9KWVWVCDBxdfSg0tPcaW2xrfrR1FMGECVozZpqp n9n3zpiLnFSrC/BleL0p0LzXH+lhSFCdm6NNxdz7n+fKTmoi4NsHVGtoZeLqU7hvsgAK vTPxu9giQk0rj9WJbYFbIQPAqrUoyZS5+xdyOHZtS5osjsuCoxd8E8ymbmMG4wR1mI3a 9PuUGlexNty7e5gVWwQMMz4qXpMwDDaYEKbdJyvZsG2BM0IGRTuFGpkqDRDY1hKmRurL TSmGM0EuZdhhDLrjCbtyiuaCaUUNms9q1/l5EBhpqPBFu/YwswXTFOcA3SjUS52zYYnY 3GRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S/30eO1y9D31f9PhLD0dyxF5gahRGPZKw5aC4TXfhxk=; b=JBS8xU+4IiARAN1HL7yIXDjb8jC5pg8QoupOXf2OX5pSH5urT4f3oD6kzAG9KkHq0f /bZGdSVk45DRPuBPmpDZfVHDceSMdXqobzy5dZmYbXrlDDX3BgPjfHS2vfsIXXuQvqJM 50HTzirfE/dGkGP5x6/ts44duAldOuUYN+bfhFZI83DpvdMx5sXRFsCzn01DSR2zkDUv yXtoXVPCff3JRjs+d2NMp6cpnXPnK9Cz1XIRig3BpsNvPG/3XdVl8yBPm93PHjJvGsdN e0x5+QIq6peL1KspfWCKuEdhTmdR2IEOoVMcwn8Ukj5An6QZYDkki05175dNl4o25mCr Xbzg==
X-Gm-Message-State: APjAAAXp2F7B2NuwpPIYVXqIefkVk97T82xFb4wzTBopTbk9Kz7ZB8H7 hEicSMB0g5jYrXo8sS/WcNptTzps0X3VP5iTAes=
X-Google-Smtp-Source: APXvYqzqc5jFt3pff2YlFwxxooe+P5WYUbmj1ZSkG8o13kdIbutiejcu+Amr8DG3Fp+HLnchLmIjum8MZu+RKkMEzR4=
X-Received: by 2002:a2e:80cc:: with SMTP id r12mr7140951ljg.154.1578588358587; Thu, 09 Jan 2020 08:45:58 -0800 (PST)
MIME-Version: 1.0
References: <A6C5B299-54AE-48E8-98BF-981C85B9D3BE@vigilsec.com> <CAH8yC8=DWfzTw=meTG0_jGDt_qDmw20khR_U1Z0df0R-K0hN6Q@mail.gmail.com> <CAMm+LwisLm78peKYk7N_C1y3f8vjRgOrf9Ut9XwGGZZ-vK5zFA@mail.gmail.com> <1578554217695.69920@cs.auckland.ac.nz>
In-Reply-To: <1578554217695.69920@cs.auckland.ac.nz>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 09 Jan 2020 11:45:47 -0500
Message-ID: <CACsn0c=LENQtn_UA0vmr4kk8k-d609Ftxwzf7QKMbKVf_0u9vA@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, noloader@gmail.com, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005c39b2059bb7be4d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/SdtYSmR9vAWDrkXsURmYLbknI7o>
Subject: Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2020 16:46:03 -0000

On Thu, Jan 9, 2020 Peter Gutman wrote

>
> A simple countermeasure there for long-lived signatures where this type of
> attack is a threat (assuming the ASN.1-reinterpretation is achievable),
> e.g.
> X.509 certs in legacy deployments, is that if SHA-1 is being used, reject
> certs with an unknown extension, or one with type-and-value fields of
> unknown
> type.
>

Let's look at actual exploitation of a chosen prefix attack in the CA
ecosystem. This happened twice, once as a talk demo and another time as
part of a cyberattack.

http://deweger.xs4all.nl/papers/[41]StSoApLeMoOsdW-RogueCA-Crypto[2009].pdf

Did the attackers succeed? Yes
Did they need a custom extension? No
Does the countermeasure work? No

Why is this less work then disabling SHA-1 verification 14 years after
Wang's attacks, 3 years after the Web PKI disabled SHA-1 etc?

There are some other countermeasures like injecting randomized large serial
numbers, but these aren't followed uniformly by CAs outside the Web PKI.

Beyond cryptography there are all manner of other attacks that require
updating. It's clear that slow update cycles and backwards compatibility
have had substantial negative impacts on security.

v2.23.0 | Report a Bug | By Email