nanog mailing list archives
Re: SHA1 collisions proven possisble
From: Matt Palmer <mpalmer () hezmatt org>
Date: Mon, 27 Feb 2017 18:58:14 +1100
On Mon, Feb 27, 2017 at 01:15:28AM -0500, Patrick W. Gilmore wrote:
On Feb 26, 2017, at 21:16, Matt Palmer <mpalmer () hezmatt org> wrote:Even better: I want a CA cert. I convince a CA to issue me a regular, end-entity cert for `example.com` (which I control) in such a way that I can generate another cert with the same SHA1 hash, but which has `CA:TRUE` for the Basic Constraints extension. Wham! I can now generate certs for *EVERYONE*. At least until someone notices and takes away my shiny new toy...In the example above, the CA knows the SHA-1 hash of the cert it issued. (We are assuming there is a CA which still does SHA-1.) How do you get that CA to believe the two OTHER certs with DIFFERENT hashes you have to create so you can have two docs with the same hash?
This is doable because the data that goes into the cert is mostly predictable (or attacker controlled). The public key is provided by the attacker; the subject and sAN extension is attacker-provided, and a lot of the rest is predictable (issuer, policy OIDs, etc etc). Even the notBefore and notAfter fields are, to some degree, predictable; you can measure the average issuance delay to figure out when you need to submit your CSR(s) to get favourable timestamps, and many CAs "round" values, to make that easier. Thus, constructing a "dummy" TBSCertificate ("to-be-signed certificate") to play with isn't difficult. The mitigation to a chosen prefix attack (which is what this is) is to make the serial number a random number. The CA/Browser Forum Baseline Requirements (the agreed-upon rules between CAs and browsers) say that you need to put "at least 64 bits of randomness" into the serial number field, which supposedly mitigates this. Unfortunately, that isn't a property you can easily determine by observation, and I'll bet dollars to donuts it isn't audited, so whether that would stand up to a determined attacker is a Rumsfeldian question.. - Matt
Current thread:
- Re: SHA1 collisions proven possisble, (continued)
- Re: SHA1 collisions proven possisble Patrick W. Gilmore (Feb 26)
- Re: SHA1 collisions proven possisble Nick Hilliard (Feb 26)
- Re: SHA1 collisions proven possisble Brett Frankenberger (Feb 26)
- Re: SHA1 collisions proven possisble Matt Palmer (Feb 26)
- RE: SHA1 collisions proven possisble Keith Medcalf (Feb 26)
- RE: SHA1 collisions proven possisble Jon Lewis (Feb 27)
- Re: SHA1 collisions proven possisble valdis . kletnieks (Feb 27)
- Re: SHA1 collisions proven possisble Patrick W. Gilmore (Feb 26)
- Re: SHA1 collisions proven possisble Eitan Adler (Feb 26)
- Re: SHA1 collisions proven possisble Randy Bush (Feb 27)
- Re: SHA1 collisions proven possisble Matt Palmer (Feb 26)
- Re: SHA1 collisions proven possisble valdis . kletnieks (Feb 27)
- Re: SHA1 collisions proven possisble Chris Adams (Feb 27)