Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 09 January 2020 07:17 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84731120025 for <saag@ietfa.amsl.com>; Wed, 8 Jan 2020 23:17:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rnKZRj9T8cYV for <saag@ietfa.amsl.com>; Wed, 8 Jan 2020 23:17:00 -0800 (PST)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF884120020 for <saag@ietf.org>; Wed, 8 Jan 2020 23:16:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1578554220; x=1610090220; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=hU2H7zLL1hds3ZlSuxQY7SiZG9dcPF1QzW8Z1V+Bvng=; b=uusXtArrBfCceCTu7gaPrXJyaFGFQS+qW/+PK1HEPVDTSQq29yh/M4tq 4SCJFl7qAU4moJe0WfGOpDQeVxe0OmvUOj8NRgQGsNw94tCs24KxsycZC WlEa5iaEQlPo0V74K6OLjegYDah95wvSwwu0Gx7cdzOH1AIREwLiLt2ZP bBF1cwUAlx6TtV3zYHD7mU30Fez3TuJXHNwsCfqwZZsdmidoP3Aox4VU7 XMa29BaCS2L9VIyBR3k1FnwxkKbuuc6d2Ts2757ILqRn2g+bTJo7cT5b5 YcUydSgGb6/hlpoXpzemPFcxmEl1Eem8XnshGPsimeW+ATnKQQI9BZgZw g==;
X-IronPort-AV: E=Sophos;i="5.69,413,1571655600"; d="scan'208";a="108894448"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.9 - Outgoing - Outgoing
Received: from uxcn13-tdc-e.uoa.auckland.ac.nz ([10.6.3.9]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 09 Jan 2020 20:16:56 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-e.UoA.auckland.ac.nz (10.6.3.9) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 9 Jan 2020 20:16:55 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1395.000; Thu, 9 Jan 2020 20:16:55 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Phillip Hallam-Baker <phill@hallambaker.com>, "noloader@gmail.com" <noloader@gmail.com>
CC: IETF SAAG <saag@ietf.org>
Thread-Topic: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
Thread-Index: AQHVxW5peik3PNqOuEiM4/T+DmGoNqffJfeAgAAA7gCAAsXzEA==
Date: Thu, 09 Jan 2020 07:16:55 +0000
Message-ID: <1578554217695.69920@cs.auckland.ac.nz>
References: <A6C5B299-54AE-48E8-98BF-981C85B9D3BE@vigilsec.com> <CAH8yC8=DWfzTw=meTG0_jGDt_qDmw20khR_U1Z0df0R-K0hN6Q@mail.gmail.com>, <CAMm+LwisLm78peKYk7N_C1y3f8vjRgOrf9Ut9XwGGZZ-vK5zFA@mail.gmail.com>
In-Reply-To: <CAMm+LwisLm78peKYk7N_C1y3f8vjRgOrf9Ut9XwGGZZ-vK5zFA@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/cim3eQKd0wJC5PFgTGNWPIGMlyU>
Subject: Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2020 07:17:02 -0000
Phillip Hallam-Baker <phill@hallambaker.com> writes: >Those certificates are not actually at risk because they were originally >signed when SHA-1 was still trusted. It is the intermediate and EE certs that >are the concern. In terms of the web PKI, they're also not at risk because they're not defending against anything that non-nation-state attackers care about. And I'm not being snarky there, I mean that literally, there's no point in attackers investing anything more than the minimum necessary in trying to forge certs for web sites because they can do just as well without them (Refs: Too many to list here, but start with the APWG data if you need something to go from). However, let's look at the actual threat a bit more closely, and in particular from the point of view of someone who has legacy infrastructure they need to work with and wants to know where and what needs shoring up. The attack requires that someone be able to stuff arbitrary binary data that the victim won't check into a signed message, as well as causing the victim to reinterpret the message in an entirely different manner than originally intended. This happens to work quite well for OpenPGP/GPG, but is more tricky for certs both because there's no attackerControlledData extension (yet [0]) and because of the amount of decoration that ASN.1 adds to anything that's being encoded. So what the attacker would have to do is define a new extension attackerControlledData and create a cert where it's present in there, to mirror the (mis-)use of JPEG images with attached binary garbage in OpenPGP/ GPG (this is from reading the paper on-screen, I still need to get a printed version to study properly, in particular to try and understand whether the process described in section 6.1 can even be applied to an X.509 cert), and also to figure out how to get the victim to reinterpret what's being signed as was done for the OpenPGP data. A simple countermeasure there for long-lived signatures where this type of attack is a threat (assuming the ASN.1-reinterpretation is achievable), e.g. X.509 certs in legacy deployments, is that if SHA-1 is being used, reject certs with an unknown extension, or one with type-and-value fields of unknown type. Peter. [0] Watch out for an April 1 RFC "The attackerControlledData extension for X.509" :-).
- [saag] SHA-1 is a Shambles: First Chosen-Prefix C… Russ Housley
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Phillip Hallam-Baker
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Peter Gutmann
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Phillip Hallam-Baker
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Christian Huitema
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Jeffrey Walton
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Phillip Hallam-Baker
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Andrey Jivsov
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Alan DeKok
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Peter Gutmann
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Black, David
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Watson Ladd
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Peter Gutmann
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Viktor Dukhovni
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Robert Moskowitz