Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
Robert Moskowitz <rgm-sec@htt-consult.com> Fri, 24 January 2020 15:20 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D4F912006E for <saag@ietfa.amsl.com>; Fri, 24 Jan 2020 07:20:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hv9R_OpKXGuL for <saag@ietfa.amsl.com>; Fri, 24 Jan 2020 07:20:08 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F33C120024 for <saag@ietf.org>; Fri, 24 Jan 2020 07:20:08 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 12FC062162; Fri, 24 Jan 2020 10:20:07 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id JrOPUEvCa8O8; Fri, 24 Jan 2020 10:20:00 -0500 (EST)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 8A1CE6211C; Fri, 24 Jan 2020 10:20:00 -0500 (EST)
To: Russ Housley <housley@vigilsec.com>, IETF SAAG <saag@ietf.org>
References: <A6C5B299-54AE-48E8-98BF-981C85B9D3BE@vigilsec.com>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <fa4a18ca-d418-83f5-f95e-3566e2f6233e@htt-consult.com>
Date: Fri, 24 Jan 2020 10:19:47 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <A6C5B299-54AE-48E8-98BF-981C85B9D3BE@vigilsec.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/ucVZ_fg4Qoy9jGfLuOaNaq3jms8>
Subject: Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 15:20:12 -0000
I got to be at the conference. A lot of very good material. And note the attack on OCB2. Thank you Russ for CCM to dodge the patent fight and thus NOT do OCB for 802.11i! Of course we were looking at OCB1 at the time, but who knows what may have been in the final standard. The timing was right for it to have been OCB2... Anyway on to the SHA1 presentation and the Levchin award for it. Quite interesting. Unfortunately the video for it is not being provided at https://totalwebcasting.com/view/?func=VOFF&id=columbia&date=2020-01-08&seq=1 But check out the Enterprise Cryptography talk from ABN AMRO and their moving away from SHA1 certs. The CRLite talk was also interesting (and talk available). As to the cost, we are in an exploded bubble right now due to the collapse of crypto coin mining. Too much available GPU farms idle looking for revenue. But if this is the cost from public GPU farms looking for revenue (and 1 month leases), what is out there dark to our reseachers with a little bit of grant money to spend? The 15 years from theory to practice is something to take away. Don't just ignore a theoretical attack, but don't immediately panic and then become complacent when nothing seems to come from it (the theory) in a year or two. On 1/7/20 10:23 AM, Russ Housley wrote: > https://eprint.iacr.org/2020/014 > >> SHA-1 is a Shambles - First Chosen-Prefix Collision on SHA-1 and >> Application to the PGP Web of Trust >> >> Gaëtan Leurent and Thomas Peyrin >> >> Abstract: The SHA-1 hash function was designed in 1995 and has been >> widely used during two decades. A theoretical collision attack was first >> proposed in 2004 [WYY05], but due to its high complexity it was only >> implemented in practice in 2017, using a large GPU cluster [SBK+17]. >> More recently, an almost practical chosen-prefix collision attack >> against SHA-1 has been proposed [LP19]. This more powerful attack allows >> to build colliding messages with two arbitrary prefixes, which is much >> more threatening for real protocols. >> >> In this paper, we report the first practical implementation of this >> attack, and its impact on real-world security with a PGP/GnuPG >> impersonation attack. We managed to significantly reduce the complexity >> of collisions attack against SHA-1: on an Nvidia GTX 970, >> identical-prefix collisions can now be computed with a complexity of >> 2^61.2 rather than 2^64.7, and chosen-prefix collisions with a complexity >> of 2^63.4 rather than 2^67.1. When renting cheap GPUs, this translates to >> a cost of 11k US$ for a collision, and 45k US$ for a chosen-prefix >> collision, within the means of academic researchers. Our actual attack >> required two months of computations using 900 Nvidia GTX 1060 GPUs (we >> paid 75k US$ because GPU prices were higher, and we wasted some time >> preparing the attack). >> >> Therefore, the same attacks that have been practical on MD5 since 2009 >> are now practical on SHA-1. In particular, chosen-prefix collisions can >> break signature schemes and handshake security in secure channel >> protocols (TLS, SSH). We strongly advise to remove SHA-1 from those type >> of applications as soon as possible. We exemplify our cryptanalysis by >> creating a pair of PGP/GnuPG keys with different identities, but >> colliding SHA-1 certificates. A SHA-1 certification of the first key can >> therefore be transferred to the second key, leading to a forgery. This >> proves that SHA-1 signatures now offers virtually no security in >> practice. The legacy branch of GnuPG still uses SHA-1 by default for >> identity certifications, but after notifying the authors, the modern >> branch now rejects SHA-1 signatures (the issue is tracked as >> CVE-2019-14855). > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- [saag] SHA-1 is a Shambles: First Chosen-Prefix C… Russ Housley
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Phillip Hallam-Baker
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Peter Gutmann
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Phillip Hallam-Baker
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Christian Huitema
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Jeffrey Walton
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Phillip Hallam-Baker
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Andrey Jivsov
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Alan DeKok
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Peter Gutmann
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Black, David
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Watson Ladd
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Peter Gutmann
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Viktor Dukhovni
- Re: [saag] SHA-1 is a Shambles: First Chosen-Pref… Robert Moskowitz