IETF Logo Mail Archive

Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 08 January 2020 00:06 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFBAD120018 for <saag@ietfa.amsl.com>; Tue, 7 Jan 2020 16:06:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WiSYFFoq9uy3 for <saag@ietfa.amsl.com>; Tue, 7 Jan 2020 16:06:01 -0800 (PST)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8DAC120025 for <saag@ietf.org>; Tue, 7 Jan 2020 16:05:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1578441961; x=1609977961; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=oWPFD5Aunw9/aWEyFV1oCngd/6kp6r25fyQjgVptbOA=; b=wo9vHOyzlwdh+VJGKLUC+I88TmrwG+iGGTvhZkSRKHoMSbmXyjWYJoRp y4Utasn+RvKF91rjiFKJEiy0RgVbgHOCHEddaWjOqYwtSKX9X04Kj6//q 8DOU6wuDV3W4UGlqU1b90xKog8rG87y4qGZdBVVnYgtlo2Ow/uUWwK/j5 jdtBfKnisov0H21e4PhhLnAor4YaXW3tpepa51TkoyVFzmD5mpQBCYa1D UckXdjLu2SuOstF0Tq/jA7IG7pNHz5/Fq9H75ytV3Ilo2KKiIreOe/2kG /RzUrRgELHg+EQsK3wp/LxqNRZ3YAO6ZcNlLlNwnJSq/FkLi8UQNxzHAd A==;
X-IronPort-AV: E=Sophos;i="5.69,407,1571655600"; d="scan'208";a="108677200"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.5 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-d.UoA.auckland.ac.nz) ([10.6.3.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 08 Jan 2020 13:05:57 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 8 Jan 2020 13:05:57 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1395.000; Wed, 8 Jan 2020 13:05:57 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Russ Housley <housley@vigilsec.com>, IETF SAAG <saag@ietf.org>
Thread-Topic: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
Thread-Index: AQHVxW5peik3PNqOuEiM4/T+DmGoNqff4y66
Date: Wed, 08 Jan 2020 00:05:57 +0000
Message-ID: <1578441957793.93047@cs.auckland.ac.nz>
References: <A6C5B299-54AE-48E8-98BF-981C85B9D3BE@vigilsec.com>
In-Reply-To: <A6C5B299-54AE-48E8-98BF-981C85B9D3BE@vigilsec.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/zPGwhoucr_mdDxJphQLOMAG68_E>
Subject: Re: [saag] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 00:06:04 -0000

Russ Housley <housley@vigilsec.com> writes:

>https://eprint.iacr.org/2020/014
>
> SHA-1 is a Shambles - First Chosen-Prefix Collision on SHA-1 and
> Application to the PGP Web of Trust

I'd commented on this on the cryptography list, my thoughts were:

-- Snip --

An interesting paper has just appeared on the IACR e-print archive:

  SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to
  the PGP Web of Trust

  https://eprint.iacr.org/2020/014.pdf

tl;dr: Attacks sped up by a factor of ~16 over previous work, chosen-prefix
collision for ~$75k and 2 months effort.

It's a long (32 pages) but interesting read.  The only thing I have a bit of
an issue with is the conclusion:

  SHA-1 signatures now offers virtually no security in practice

It should really be "SHA-1 signatures where the attacker has two months time
and tens of thousands of dollars (there are some cheaper options than $75k) to
prepare a forgery offer no security in practice".

Even then, the demonstrated attack relies on the ability to stuff arbitrary
garbage data into the signed message (in this case into a JPEG image after the
End-of-Image marker), so add:

  "... and the ability to stuff arbitrary attacker-chosen data into the signed
  message..."

to that.

Not trying to downplay the findings in the paper, but more to provide some
perspective on where the major risks lie for people who need to think about
the use of SHA-1 in legacy products and systems.

v2.23.0 | Report a Bug | By Email