IETF Logo Mail Archive

Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1

"Black, David" <David.Black@dell.com> Thu, 09 January 2020 15:00 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07AA312008B for <saag@ietfa.amsl.com>; Thu, 9 Jan 2020 07:00:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com header.b=ST5Cy/PD; dkim=pass (1024-bit key) header.d=dell.onmicrosoft.com header.b=ZCmNfzEK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id evgrrZCCLLCY for <saag@ietfa.amsl.com>; Thu, 9 Jan 2020 07:00:10 -0800 (PST)
Received: from mx0a-00154904.pphosted.com (mx0a-00154904.pphosted.com [148.163.133.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C044B1200DF for <saag@ietf.org>; Thu, 9 Jan 2020 07:00:05 -0800 (PST)
Received: from pps.filterd (m0170389.ppops.net [127.0.0.1]) by mx0a-00154904.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 009Et4ko003792; Thu, 9 Jan 2020 10:00:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=3UJoah5gQatfoQCrwuG2ZBamvraoEr95XPe5hqrykJM=; b=ST5Cy/PDJqjw8vQbgEvmmdCLNcjUj89F1Smm04KvN0c1Q7/zmPE+A7dU0dg4D8t9ioLK jmPceA440Cy5Hlu/UfTe8Dsewr8D/qDUc//SUwZqePP/tHDQ/V3RbBw393qxMUYoSsFl QaGodnYU+Ejgg5BJ9uuiXcSY507FI3ZE2B/DCmBF7FceunUcMkOtNy4VF5Il8L7iIcil AEOnrH5K1ZBtW+G9SEzCQf6+wTByouA1HslgldNy0YKvKVJxxsJWN1EJHtq/qQXpkspV cVZsJVx4xL2P3mmTFqEvXnHom/e+Iunwqo9mRugVds5jQN/urQ2A9cQVVKfIj+4zZevy 7g==
Received: from mx0b-00154901.pphosted.com (mx0b-00154901.pphosted.com [67.231.157.37]) by mx0a-00154904.pphosted.com with ESMTP id 2xaqkn5hc7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Jan 2020 09:59:59 -0500
Received: from pps.filterd (m0144103.ppops.net [127.0.0.1]) by mx0b-00154901.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 009EvvMV008744; Thu, 9 Jan 2020 09:59:59 -0500
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2172.outbound.protection.outlook.com [104.47.58.172]) by mx0b-00154901.pphosted.com with ESMTP id 2xe24hc1k4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 09 Jan 2020 09:59:58 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iwZfVz6doTsZSS7hLUwCa14572oybn7EjqebcP7dytKtwObmZoUfFPaUXayy/z0VONIWCPqNR0Duu5al3Vf6IXRPY2xqXAJ115b/R3483Z5RO8tdrP/8XSK14AmZ+Mnfcwh/+APSkpIl7rOGN7S2O8xA4kTUxURyvOllZRa/dQT1y8tHB2s7Y5zl1Z18nJPdXI8cpJEj8rkSSLdGQMXi5A1WIReTJsAQlkZDK2x+zGtQs5Oeva6krEDsrk34aRwy7yaZYqrTdPF/gSFV+hKglnXJHWIjz918GabtpPg6gptts3H94pwZFpQicAGmKMMZEMoZVmQQ+WXUcuvt/ICLfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3UJoah5gQatfoQCrwuG2ZBamvraoEr95XPe5hqrykJM=; b=O2NN6j+9Ob88jZMv9cVGn30NbP1EeAxUOKPqYupsF4uBzV06YPqexWDteXvrG5DK7BI9t3MHG3+VSYolZ6DvnfDIXXFFCTa5HiXdu823KwaWw/Wk9c513N0kK5MnHz90GnFib2zQm/DcRpu2uEdnsfdyKjmA6tRprdqcv75BKEdvlwUf168QqRaOtpWVw0FGwhvQBQngx5ALFgrCNgKJseTjp/BFU9Nv4c5zyaofA+tvqJ0WV66b4mFiumDbIScuGNk73yytTKvGMq1cs8Yfbpvjaz44Nkoxnj2YpCgF6wf4XvXT7HKafpM8hG59yDkT2mB6LHrMdBo+g22zAm84dA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Dell.onmicrosoft.com; s=selector1-Dell-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3UJoah5gQatfoQCrwuG2ZBamvraoEr95XPe5hqrykJM=; b=ZCmNfzEK4yMYdtLqVzBp+oBL3cd2AOW2e3ZgTR3zeSW96b3fqaoj94+AQ0dPKLzUgVlLwrR6CJFUSG7OG87DPhcfxuf7IZeE0qB4rDKVrA6H/MIfZkC9fX7DJhTZqiP7yyHN6oTrArZc1YJukrQkQSZl/n8/JfhiUlpH+SZ4kv0=
Received: from DM6PR19MB4042.namprd19.prod.outlook.com (10.186.141.148) by DM6PR19MB2425.namprd19.prod.outlook.com (20.179.105.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.11; Thu, 9 Jan 2020 14:59:57 +0000
Received: from DM6PR19MB4042.namprd19.prod.outlook.com ([fe80::5df8:ac7f:9f09:51c7]) by DM6PR19MB4042.namprd19.prod.outlook.com ([fe80::5df8:ac7f:9f09:51c7%5]) with mapi id 15.20.2623.010; Thu, 9 Jan 2020 14:59:57 +0000
From: "Black, David" <David.Black@dell.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Phillip Hallam-Baker <phill@hallambaker.com>, "noloader@gmail.com" <noloader@gmail.com>
CC: IETF SAAG <saag@ietf.org>, "Black, David" <David.Black@dell.com>
Thread-Topic: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
Thread-Index: AQHVxW5zZBsfWuxPRUuCbBT/7kcBQaffJfeAgAAA7gCAAsXzEIAAgqYw
Date: Thu, 09 Jan 2020 14:59:56 +0000
Message-ID: <DM6PR19MB40424A843780544F545E586583390@DM6PR19MB4042.namprd19.prod.outlook.com>
References: <A6C5B299-54AE-48E8-98BF-981C85B9D3BE@vigilsec.com> <CAH8yC8=DWfzTw=meTG0_jGDt_qDmw20khR_U1Z0df0R-K0hN6Q@mail.gmail.com>, <CAMm+LwisLm78peKYk7N_C1y3f8vjRgOrf9Ut9XwGGZZ-vK5zFA@mail.gmail.com> <1578554217695.69920@cs.auckland.ac.nz>
In-Reply-To: <1578554217695.69920@cs.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Owner=david.black@emc.com; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SetDate=2020-01-09T14:59:55.9636307Z; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual; aiplabel=External Public
x-originating-ip: [72.74.71.221]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f71ab83c-4ede-4352-f715-08d79514979a
x-ms-traffictypediagnostic: DM6PR19MB2425:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6PR19MB2425EB0429B79BAE745E8BB283390@DM6PR19MB2425.namprd19.prod.outlook.com>
x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 02778BF158
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(7502003)(13464003)(189003)(199004)(81156014)(81166006)(2906002)(8676002)(498600001)(186003)(26005)(5660300002)(54906003)(966005)(110136005)(52536014)(107886003)(55016002)(6506007)(53546011)(76116006)(8936002)(4326008)(9686003)(71200400001)(86362001)(7696005)(33656002)(66946007)(66446008)(64756008)(66556008)(66476007); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR19MB2425; H:DM6PR19MB4042.namprd19.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: dell.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jLeJm6x3wz1wFGUqq+vP+xloxt9aghdRznxyGGF2kOXXD1EuFLohiL1YOxeJeEq09aKjzka+byR5PMow+ApqfbfZAn1btUbTUwTOsFat6paT5P5fHyYsotqMg/TnMFcDh9thCFZL94WSuZlnRNPP1O0dgu2Pi+lgq0+60Raexe3/uWzmkzEptDxHGeZXOaT2aGLOoCVHJbddaT3el2HFcREL6wgo7AVDhMBqJeo+vKjjWe1q0YaU6s1KYAumw3DfvQCGh0xZMqfHysb+uDf68lbV0dJo9stZkpLMKImGViHdWkHiAcSg+7WrwGXJeQ1F9TeVWVOV+/tPzhaVx1KJvRtMXDH/tEoiNJJrap1pxg4wzGBOpuTDyzIHzmen3coklDuBcDjqO1XMOZDYT0IEB8My6EyI8i1UP0t/QQ+196RDgTwr3ZYC+Jmk1VLiEnWathhWaUKbcuDPHKFPNQjjnUHY+/Ckh2xZId1SfD473rZmuI8GR5LVdZCCMrb/ncqBBD31EZvY520J9vrvSHczVSr9R/QZEDPXey6WuBg79KEvG5IB28J2YL1yFKyyB2AseXz+euFrZhtavnhUoj3puw==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: Dell.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f71ab83c-4ede-4352-f715-08d79514979a
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2020 14:59:56.9822 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: b+3Dof99FHSeJxIY7RlFkFetHKTi9OwjAcqsvNifiNZJs9RfClayoY6yZaMasLAm8mJ0jht157/HHiwtfVZefw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR19MB2425
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-01-09_02:2020-01-09, 2020-01-09 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 phishscore=0 adultscore=0 bulkscore=0 clxscore=1011 suspectscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 lowpriorityscore=0 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-2001090131
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1015 malwarescore=0 bulkscore=0 mlxlogscore=999 lowpriorityscore=0 mlxscore=0 spamscore=0 suspectscore=0 phishscore=0 priorityscore=1501 adultscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-2001090131
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/ZG1kik95V_y2UWWJCLBVWw8i-0E>
Subject: Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2020 15:00:29 -0000

> [0] Watch out for an April 1 RFC "The attackerControlledData extension for
>     X.509" :-).

Be careful what you wish for ... after all, RFC 1149 was implemented :-) !!

https://en.wikipedia.org/wiki/IP_over_Avian_Carriers

Thanks, --David

> -----Original Message-----
> From: saag <saag-bounces@ietf.org> On Behalf Of Peter Gutmann
> Sent: Thursday, January 9, 2020 2:17 AM
> To: Phillip Hallam-Baker; noloader@gmail.com
> Cc: IETF SAAG
> Subject: Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-
> 1
> 
> 
> [EXTERNAL EMAIL]
> 
> Phillip Hallam-Baker <phill@hallambaker.com> writes:
> 
> >Those certificates are not actually at risk because they were originally
> >signed when SHA-1 was still trusted. It is the intermediate and EE certs that
> >are the concern.
> 
> In terms of the web PKI, they're also not at risk because they're not
> defending against anything that non-nation-state attackers care about.  And
> I'm not being snarky there, I mean that literally, there's no point in
> attackers investing anything more than the minimum necessary in trying to
> forge certs for web sites because they can do just as well without them (Refs:
> Too many to list here, but start with the APWG data if you need something to
> go from).
> 
> However, let's look at the actual threat a bit more closely, and in particular
> from the point of view of someone who has legacy infrastructure they need to
> work with and wants to know where and what needs shoring up.  The attack
> requires that someone be able to stuff arbitrary binary data that the victim
> won't check into a signed message, as well as causing the victim to
> reinterpret the message in an entirely different manner than originally
> intended.
> 
> This happens to work quite well for OpenPGP/GPG, but is more tricky for certs
> both because there's no attackerControlledData extension (yet [0]) and because
> of the amount of decoration that ASN.1 adds to anything that's being encoded.
> So what the attacker would have to do is define a new extension
> attackerControlledData and create a cert where it's present in there, to
> mirror the (mis-)use of JPEG images with attached binary garbage in OpenPGP/
> GPG (this is from reading the paper on-screen, I still need to get a printed
> version to study properly, in particular to try and understand whether the
> process described in section 6.1 can even be applied to an X.509 cert), and
> also to figure out how to get the victim to reinterpret what's being signed as
> was done for the OpenPGP data.
> 
> A simple countermeasure there for long-lived signatures where this type of
> attack is a threat (assuming the ASN.1-reinterpretation is achievable), e.g.
> X.509 certs in legacy deployments, is that if SHA-1 is being used, reject
> certs with an unknown extension, or one with type-and-value fields of unknown
> type.
> 
> Peter.
> 
> [0] Watch out for an April 1 RFC "The attackerControlledData extension for
>     X.509" :-).
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email