IETF Logo Mail Archive

Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 08 January 2020 00:29 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A666120018 for <saag@ietfa.amsl.com>; Tue, 7 Jan 2020 16:29:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.416
X-Spam-Level:
X-Spam-Status: No, score=-1.416 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u0ORhd1z1G_s for <saag@ietfa.amsl.com>; Tue, 7 Jan 2020 16:29:33 -0800 (PST)
Received: from mail-ot1-f68.google.com (mail-ot1-f68.google.com [209.85.210.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B168120020 for <saag@ietf.org>; Tue, 7 Jan 2020 16:29:33 -0800 (PST)
Received: by mail-ot1-f68.google.com with SMTP id i15so1930048oto.2 for <saag@ietf.org>; Tue, 07 Jan 2020 16:29:33 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BDDNOoU/flR7Ymxyfzz35swxxKyP59/MFv1lQ2VNjQY=; b=IYsGEwowNcBlBelG6SBWRHb0FTpW2Vfa+blY43fYh+JcwbGT97XpXPf9o2229UOVn/ ic5wf3UCO7uCMPzZU66INfHm9lwBPSpiex1y2IVZTxp3YD/Z3WR4kF3DOEAbQ1i+7XHe eEcyVH8/zZbB9Rcd6CEL5V005S3xwih283HgeESulyOghoVHm+Ct3i4EPu0r82YN6pZY vtzkXYbVZ8a1CoaY6w4K++ZDdXE+FGGROnccFKbPfZqSUo70OBXdzkbOK6j6CYehgcjY DthhFhn9JAl6VEoWg2/BLzbDIg45z9JoNtM/VtQX721Z0/0XSdY+YMugySgMWwPOU09B m6LQ==
X-Gm-Message-State: APjAAAWaXSEmOB33x5uEeuti1XMiPuM+9oEUgQR/vJubUHiOFSwrrE+4 M9UF7iQuH6xD5mmkD8b5A9vl7AhUsmt/OPeOHhY=
X-Google-Smtp-Source: APXvYqybmLl3LCz0ThCPRTqIYj6PHmFsbKlCdcfK6KOxpGuR8M+9j2jHPqn0j5suwE7OIF5TQFp6/diW1q2Abq8pxcw=
X-Received: by 2002:a05:6830:1481:: with SMTP id s1mr2252924otq.66.1578443372235; Tue, 07 Jan 2020 16:29:32 -0800 (PST)
MIME-Version: 1.0
References: <A6C5B299-54AE-48E8-98BF-981C85B9D3BE@vigilsec.com> <1578441957793.93047@cs.auckland.ac.nz>
In-Reply-To: <1578441957793.93047@cs.auckland.ac.nz>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 07 Jan 2020 19:29:20 -0500
Message-ID: <CAMm+LwiyiQU1JtofDJsnUjxMrkV_wkFz2J62VG3Dt=Zgegom8A@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Russ Housley <housley@vigilsec.com>, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000801bca059b95fcff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/gPHd-fTwAsFl8WJGeA2_WggZu-g>
Subject: Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 00:29:34 -0000

On Tue, Jan 7, 2020 at 7:06 PM Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> Russ Housley <housley@vigilsec.com> writes:
>
> >https://eprint.iacr.org/2020/014
> >
> > SHA-1 is a Shambles - First Chosen-Prefix Collision on SHA-1 and
> > Application to the PGP Web of Trust
>
> I'd commented on this on the cryptography list, my thoughts were:
>
> -- Snip --
>
> An interesting paper has just appeared on the IACR e-print archive:
>
>   SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
> Application to
>   the PGP Web of Trust
>
>   https://eprint.iacr.org/2020/014.pdf
>
> tl;dr: Attacks sped up by a factor of ~16 over previous work, chosen-prefix
> collision for ~$75k and 2 months effort.
>
> It's a long (32 pages) but interesting read.  The only thing I have a bit
> of
> an issue with is the conclusion:
>
>   SHA-1 signatures now offers virtually no security in practice
>
> It should really be "SHA-1 signatures where the attacker has two months
> time
> and tens of thousands of dollars (there are some cheaper options than
> $75k) to
> prepare a forgery offer no security in practice".
>

I think we can be fairly clear what the real risk is going to be and I am
working on this in the podcast (could not record it today because there
were roadworks outside the studio).

What will happen is

* Short term panic and lots of people explaining there is nothing to worry
about.
* Five to ten years of complacency.
* A successful attack on a significant target that did not transition but
proved profitable.

$75K will be $5K before long and don't discount the possibility that $75K
could be a profitable attack. I am sure that organized crime has noted the
Lehman etc insider trading frauds and started planting moles in the banks.
$75K would be nothing when they are looking to cash out $100 million. We
have observed very significant amounts being paid for zero day attacks.

Most likely attack targets will be Git repos and similar applications using
SHA-1 hashes internally. The Git project did raise itself from the usual
security negligence Torvalds projects suffer from. The IPv6 buffer overrun
guards he stripped out of the kernel because he didn't understand them in
his 'compiler masturbation' rant is a more likely source of security
breach. It speaks of a hostile work environment.

v2.23.0 | Report a Bug | By Email