nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SHA1 collisions proven possisble

From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Mon, 27 Feb 2017 01:15:28 -0500
Composed on a virtual keyboard, please forgive typos. 

On Feb 26, 2017, at 21:16, Matt Palmer <mpalmer () hezmatt org> wrote:

On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:

On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
I repeat something I've said a couple times in this thread: If I can
somehow create two docs with the same hash, and somehow con someone
into using one of them, chances are there are bigger problems than a
SHA1 hash collision.

If you assume I could somehow get Verisign to use a cert I created to
match another cert with the same hash, why in the hell would that
matter?  I HAVE THE ONE VERISIGN IS USING.  Game over.

Valdis came up with a possible use of such documents. While I do not
think there is zero utility in those instances, they are pretty small
vectors compared to, say, having a root cert at a major CA.


I want a google.com cert.  I ask a CA to sign my fake google.com
certificate.  They decline, because I can't prove I control google.com.


Even better: I want a CA cert.  I convince a CA to issue me a regular,
end-entity cert for `example.com` (which I control) in such a way that I can
generate another cert with the same SHA1 hash, but which has `CA:TRUE` for
the Basic Constraints extension.

Wham!  I can now generate certs for *EVERYONE*.  At least until someone
notices and takes away my shiny new toy...


Since I have said this somewhere on the order of half a dozen times, I will assume I am missing something obvious and 
all of you are doing it right. 

So let me ask you: The attack creates two docs. You do not know the hash before the attack starts. You cannot take an 
existing file with a known hash and create a second file which matches the known hash. You start with nothing, run the 
"attack", and get two NEW docs that have the same hash. A hash which is brand new. 

Now, please explain how you take a cert with one hash and somehow use this attack, which creates two new docs with a 
new hash, to do, well, anything?

In the example above, the CA knows the SHA-1 hash of the cert it issued. (We are assuming there is a CA which still 
does SHA-1.) How do you get that CA to believe the two OTHER certs with DIFFERENT hashes you have to create so you can 
have two docs with the same hash?

-- 
TTFN,
patrick
Previous By Date Next
Previous By Thread Next

Current thread: