Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
Andrey Jivsov <crypto@brainhub.org> Wed, 08 January 2020 03:18 UTC
Return-Path: <andrey@brainhub.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3E4C120043 for <saag@ietfa.amsl.com>; Tue, 7 Jan 2020 19:18:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3b0F9LAXJknz for <saag@ietfa.amsl.com>; Tue, 7 Jan 2020 19:18:36 -0800 (PST)
Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FD6912002E for <saag@ietf.org>; Tue, 7 Jan 2020 19:18:36 -0800 (PST)
Received: by mail-qk1-f174.google.com with SMTP id t129so1424506qke.10 for <saag@ietf.org>; Tue, 07 Jan 2020 19:18:36 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GucBbzGciWw3pXmyc1OSyVIYq0RzBJOZnW5XVyQn3K4=; b=Sa/+cPjP8u9bymdsqW2hCCKgYunyzLtyo0rMgIUEb5pDLjW90SKLPp98G9g8gpc6t8 wX5odSiXZVQzilp/cmqBEBttMgnwM0dfqqkRnbEoXfLrzewrXw22J9j/fa6syz0l0Ps2 A9Wxnbf+GktWWf5ggTbIIaoaEpumkx9ecZ09H4BKaD6K7NatBFjlPXco9s4VoFQ6Ldye lB2Prmw6ejL/EAkFU0pM7j8iekVZXDFHTJljNwKpIisZbHkNLGJStvHun4Kqs2k/CQg7 15lLUJxjYCB0fvSA6nfKXtkwYIUJVwu+3V+Ltae5rVT5OQGaNASCjcVdVCGYDAnKezlg jE0w==
X-Gm-Message-State: APjAAAUG1hGVy2kqvoCnfM9O27F6ntfi5H37HBvzZWoAEb+4OwC8ODRV /ZjYrW5VaudeBFeaKXI5MZ5H8hAKxfYqY8fCcMgrMg==
X-Google-Smtp-Source: APXvYqzOSIfZW0LBsT+9+2/Ym68xy3hMS3zX11T7OqFA9TgYnnBvViyhfx9GlByqgUCKUPj6IB3dUcHRptKOR4YEgns=
X-Received: by 2002:a05:620a:9c9:: with SMTP id y9mr2300897qky.397.1578453514213; Tue, 07 Jan 2020 19:18:34 -0800 (PST)
MIME-Version: 1.0
References: <A6C5B299-54AE-48E8-98BF-981C85B9D3BE@vigilsec.com> <CAH8yC8=DWfzTw=meTG0_jGDt_qDmw20khR_U1Z0df0R-K0hN6Q@mail.gmail.com> <CAMm+LwisLm78peKYk7N_C1y3f8vjRgOrf9Ut9XwGGZZ-vK5zFA@mail.gmail.com>
In-Reply-To: <CAMm+LwisLm78peKYk7N_C1y3f8vjRgOrf9Ut9XwGGZZ-vK5zFA@mail.gmail.com>
From: Andrey Jivsov <crypto@brainhub.org>
Date: Tue, 07 Jan 2020 19:18:22 -0800
Message-ID: <CAKUk3buBYquPGDhEubCSrKPc7E1sYwiGZqind-gXNofDdP8WxA@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: noloader@gmail.com, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000274c6059b9859ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Uy_GxDo6ytKyVC7pLZi9l04DbEA>
Subject: Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 03:18:40 -0000
Even more precise, the hash algorithm in X.509 certificate trust anchors doesn't matter for security. Self-signed X.509 certs are the most common trust anchors. If a self-signed cert is a part of a certificate chain, it must be a trust anchor. Therefore, the hash algorithm in a self-signed X.509 certificate never matters for security. This should include compliance reasons of "no SHA-1" because the signature field on self-signed cert should never be verified (we can, but it just wastes compute cycles). Remarkably, the above straightforward facts are for some reason not well-understood and companies make an effort to remove X.509 trust anchors with SHA-1 in signatures over them. On Tue, Jan 7, 2020, 5:49 PM Phillip Hallam-Baker <phill@hallambaker.com> wrote: > Those certificates are not actually at risk because they were originally > signed when SHA-1 was still trusted. It is the intermediate and EE certs > that are the concern. > > On the cost of attack thing. $11K is well within the amount of computer > time that can be stolen... > > > > > On Tue, Jan 7, 2020 at 8:46 PM Jeffrey Walton <noloader@gmail.com> wrote: > >> On Tue, Jan 7, 2020 at 10:23 AM Russ Housley <housley@vigilsec.com> >> wrote: >> > >> > https://eprint.iacr.org/2020/014 >> > >> > > SHA-1 is a Shambles - First Chosen-Prefix Collision on SHA-1 and >> > > Application to the PGP Web of Trust >> > > >> > > Gaëtan Leurent and Thomas Peyrin >> > > >> > > Abstract: The SHA-1 hash function was designed in 1995 and has been >> > > widely used during two decades. A theoretical collision attack was >> first >> > > proposed in 2004 [WYY05], but due to its high complexity it was only >> > > implemented in practice in 2017, using a large GPU cluster [SBK+17]. >> > > More recently, an almost practical chosen-prefix collision attack >> > > against SHA-1 has been proposed [LP19]. This more powerful attack >> allows >> > > to build colliding messages with two arbitrary prefixes, which is much >> > > more threatening for real protocols. >> > > >> > > In this paper, we report the first practical implementation of this >> > > attack, and its impact on real-world security with a PGP/GnuPG >> > > impersonation attack. We managed to significantly reduce the >> complexity >> > > of collisions attack against SHA-1: on an Nvidia GTX 970, >> > > identical-prefix collisions can now be computed with a complexity of >> > > 2^61.2 rather than 2^64.7, and chosen-prefix collisions with a >> complexity >> > > of 2^63.4 rather than 2^67.1. When renting cheap GPUs, this >> translates to >> > > a cost of 11k US$ for a collision, and 45k US$ for a chosen-prefix >> > > collision, within the means of academic researchers. Our actual attack >> > > required two months of computations using 900 Nvidia GTX 1060 GPUs (we >> > > paid 75k US$ because GPU prices were higher, and we wasted some time >> > > preparing the attack). >> > > >> > > Therefore, the same attacks that have been practical on MD5 since 2009 >> > > are now practical on SHA-1. In particular, chosen-prefix collisions >> can >> > > break signature schemes and handshake security in secure channel >> > > protocols (TLS, SSH). We strongly advise to remove SHA-1 from those >> type >> > > of applications as soon as possible. We exemplify our cryptanalysis by >> > > creating a pair of PGP/GnuPG keys with different identities, but >> > > colliding SHA-1 certificates. A SHA-1 certification of the first key >> can >> > > therefore be transferred to the second key, leading to a forgery. This >> > > proves that SHA-1 signatures now offers virtually no security in >> > > practice. The legacy branch of GnuPG still uses SHA-1 by default for >> > > identity certifications, but after notifying the authors, the modern >> > > branch now rejects SHA-1 signatures (the issue is tracked as >> > > CVE-2019-14855). >> >> And if interested, Mozilla's cacert.pem >> (https://curl.haxx.se/docs/caextract.html) has 52 certificates at >> risk: >> >> $ ./test.exe >> Load certificates from cacert.pem >> Certificates total: 138 >> >> ecdsa-with-SHA256: 5 >> ecdsa-with-SHA384: 16 >> id_sha1WithRSASignature: 52 >> id_sha256WithRSAEncryption: 56 >> id_sha256WithRSAEncryption: 8 >> id_sha512WithRSAEncryption: 1 >> >> Jeff >> >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag >> > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >
- [saag] SHA-1 is a Shambles: First Chosen-Prefix C… Russ Housley
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Phillip Hallam-Baker
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Peter Gutmann
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Phillip Hallam-Baker
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Christian Huitema
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Jeffrey Walton
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Phillip Hallam-Baker
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Andrey Jivsov
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Alan DeKok
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Peter Gutmann
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Black, David
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Watson Ladd
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Peter Gutmann
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Viktor Dukhovni
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Robert Moskowitz