nanog mailing list archives
Re: SHA1 collisions proven possisble
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 24 Feb 2017 14:06:12 +0100
* valdis kletnieks:
We negotiate a contract with terms favorable to you. You sign it (or more correctly, sign the SHA-1 hash of the document). I then take your signed copy, take out the contract, splice in a different version with terms favorable to me. Since the hash didn't change, your signature on the second document remains valid. I present it in court, and the judge says "you signed it, you're stuck with the terms you signed". I think that would count as "invalidates documents signed by SHA-1", don't you?
The more immediate problem isn't that you get framed, but that someone is insinuating that you might be framing *them*, i.e. invalidation of existing signatures etc. Regarding your original scenario: You have both copies, and it is possible to analyze them and notice that they were carefully crafted to exhibit the SHA-1 collision. So it should be clear that the party who generated the document is up to to no good, and the question now is which party is responsible for the doctored document. This scenario isn't much different from abusing complex file formats to render the document differently in different contexts. There is more reliable evidence here than there is with your average disputed pen-and-paper signature. Automated processing of SHA-1-hashed data might be a problem, though. For example, a web page generator might skip proper HTML encoding if the hash of a document fragment has a known SHA-1 (assuming that this exact fragment has been checked earlier). Certification signatures (such as those found in X.509 and DNSSEC) are particularly at risk. For X.509, CAs can randomize the serial number and avoid the shared prefix, which stops these attacks AFAIK. For DNSSEC, you probably should verify that the DS records are meaningful before signing the DS RRset. If I recall correctly, there is no good way to inject randomness early into the signed data, maybe except using invalid DS records which get sorted first.
Current thread:
- Re: SHA1 collisions proven possisble, (continued)
- Re: SHA1 collisions proven possisble Vincent Bernat (Feb 24)
- Re: SHA1 collisions proven possisble Patrick W. Gilmore (Feb 23)
- Re: SHA1 collisions proven possisble valdis . kletnieks (Feb 23)
- Re: SHA1 collisions proven possisble Patrick W. Gilmore (Feb 23)
- Re: SHA1 collisions proven possisble Vincent Bernat (Feb 24)
- Re: SHA1 collisions proven possisble Patrick W. Gilmore (Feb 24)
- Re: SHA1 collisions proven possisble Ricky Beam (Feb 23)
- Re: SHA1 collisions proven possisble valdis . kletnieks (Feb 23)
- RE: SHA1 collisions proven possisble David Edelman (Feb 23)
- Re: SHA1 collisions proven possisble Lyndon Nerenberg (Feb 23)
- Re: SHA1 collisions proven possisble Florian Weimer (Feb 24)
- Re: SHA1 collisions proven possisble Jimmy Hess (Feb 25)
- Re: SHA1 collisions proven possisble Patrick W. Gilmore (Feb 26)
- Re: SHA1 collisions proven possisble Nick Hilliard (Feb 26)
- Re: SHA1 collisions proven possisble Brett Frankenberger (Feb 26)
- Re: SHA1 collisions proven possisble Matt Palmer (Feb 26)
- RE: SHA1 collisions proven possisble Keith Medcalf (Feb 26)
- RE: SHA1 collisions proven possisble Jon Lewis (Feb 27)
- Re: SHA1 collisions proven possisble valdis . kletnieks (Feb 27)
- Re: SHA1 collisions proven possisble Patrick W. Gilmore (Feb 26)
- Re: SHA1 collisions proven possisble Eitan Adler (Feb 26)