nanog mailing list archives
Re: SHA1 collisions proven possisble
From: Eitan Adler <lists () eitanadler com>
Date: Sun, 26 Feb 2017 22:25:20 -0800
On 26 February 2017 at 22:15, Patrick W. Gilmore <patrick () ianai net> wrote:
Composed on a virtual keyboard, please forgive typos. On Feb 26, 2017, at 21:16, Matt Palmer <mpalmer () hezmatt org> wrote:On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote: I repeat something I've said a couple times in this thread: If I can somehow create two docs with the same hash, and somehow con someone into using one of them, chances are there are bigger problems than a SHA1 hash collision. If you assume I could somehow get Verisign to use a cert I created to match another cert with the same hash, why in the hell would that matter? I HAVE THE ONE VERISIGN IS USING. Game over. Valdis came up with a possible use of such documents. While I do not think there is zero utility in those instances, they are pretty small vectors compared to, say, having a root cert at a major CA.I want a google.com cert. I ask a CA to sign my fake google.com certificate. They decline, because I can't prove I control google.com.Even better: I want a CA cert. I convince a CA to issue me a regular, end-entity cert for `example.com` (which I control) in such a way that I can generate another cert with the same SHA1 hash, but which has `CA:TRUE` for the Basic Constraints extension. Wham! I can now generate certs for *EVERYONE*. At least until someone notices and takes away my shiny new toy...Since I have said this somewhere on the order of half a dozen times, I will assume I am missing something obvious and all of you are doing it right. So let me ask you: The attack creates two docs. You do not know the hash before the attack starts. You cannot take an existing file with a known hash and create a second file which matches the known hash. You start with nothing, run the "attack", and get two NEW docs that have the same hash. A hash which is brand new. Now, please explain how you take a cert with one hash and somehow use this attack, which creates two new docs with a new hash, to do, well, anything?
1. Create a certificate C[ert] for a single domain you control with hash h(c). 2. Create a second certificate A[ttack] marked as a certificate authority such that h(C) = h(A). 3. Have a certificate authority sign cert C 4. Present the signature for A along with A for whatever nefarious purpose you want. See a similar version of this attack here using MD5 chosen-prefix collision attack: https://www.win.tue.nl/hashclash/rogue-ca/ -- Eitan Adler
Current thread:
- Re: SHA1 collisions proven possisble, (continued)
- Re: SHA1 collisions proven possisble Florian Weimer (Feb 24)
- Re: SHA1 collisions proven possisble Jimmy Hess (Feb 25)
- Re: SHA1 collisions proven possisble Patrick W. Gilmore (Feb 26)
- Re: SHA1 collisions proven possisble Nick Hilliard (Feb 26)
- Re: SHA1 collisions proven possisble Brett Frankenberger (Feb 26)
- Re: SHA1 collisions proven possisble Matt Palmer (Feb 26)
- RE: SHA1 collisions proven possisble Keith Medcalf (Feb 26)
- RE: SHA1 collisions proven possisble Jon Lewis (Feb 27)
- Re: SHA1 collisions proven possisble valdis . kletnieks (Feb 27)
- Re: SHA1 collisions proven possisble Patrick W. Gilmore (Feb 26)
- Re: SHA1 collisions proven possisble Eitan Adler (Feb 26)
- Re: SHA1 collisions proven possisble Randy Bush (Feb 27)
- Re: SHA1 collisions proven possisble Matt Palmer (Feb 26)
- Re: SHA1 collisions proven possisble valdis . kletnieks (Feb 27)
- Re: SHA1 collisions proven possisble Chris Adams (Feb 27)