From nobody Wed Jan 22 06:31:39 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D3E1200F4 for ; Wed, 22 Jan 2020 06:31:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aty4wX92KLGm for ; Wed, 22 Jan 2020 06:31:33 -0800 (PST) Received: from out1.mail.ruhr-uni-bochum.de (out1.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:8:1001::8693:3595]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 577BC1200F1 for ; Wed, 22 Jan 2020 06:31:33 -0800 (PST) Received: from mx1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out1.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 482nsG2YStz8S6C for ; Wed, 22 Jan 2020 15:31:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1579703490; bh=UUxDbd0USwiXnClA7jIuEaiMNYqWxAES4Arn50UlNig=; h=To:From:Subject:Date:From; b=QEdlwhjAYENIZV6YPQ3cNt8OXR4G3sQ0IBVzbI7E8i9ZlrrEtmZT3fDVMYs3xKrAM NGpcRjlxpLs8af8bGcTlsMMwg50OU2zk9lRD/5MILTiTg+pLPpdykegm9tUEaLiAyp NYmsfyz8b+ZEHRLw9sW9iRBeH0hcqZ5yMJLjYG+M= Received: from out1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx1.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 482nsG18Gvz8S5s for ; Wed, 22 Jan 2020 15:31:30 +0100 (CET) X-Envelope-Sender: X-RUB-Notes: Internal origin=IPv6:2a05:3e00:c:1001:5054:ff:fe37:b9e4 Received: from mail1.mail.ruhr-uni-bochum.de (mail1.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001:5054:ff:fe37:b9e4]) by out1.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 482nsF5R9Gz8S5N for ; Wed, 22 Jan 2020 15:31:28 +0100 (CET) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.102.1 at mx1.mail.ruhr-uni-bochum.de Received: from [IPv6:2a05:3e00:9:2100:3870:dcb7:49cd:d8e0] (dyn-0e8ddc947bcd078300129000.nds.ipv6.ruhr-uni-bochum.de [IPv6:2a05:3e00:9:2100:3870:dcb7:49cd:d8e0]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 482nsB0L8Kzyv6 for ; Wed, 22 Jan 2020 15:31:26 +0100 (CET) To: openpgp@ietf.org From: Marcus Brinkmann Autocrypt: addr=marcus.brinkmann@rub.de; keydata= mQINBFZU6WABEADoVonKbB/tV0v25cm39DaSZyN7it70RhTZHLESbpDiHCwiAMi74MK/HB/q VR9LZDkTDF1x5xUnxxMHa2rpxO329dlk5dQFq1iELxIC/yBCEh5HMLT5MkWqwb8UkINYpaFU csQdPvdC2RzZ4Wt5/xX/6mvSnA4g7hSmUKwIiDX6489Fj5jHK3i0UQFnzKty3O7mqSbedTHs ym2q6fPcIlEOvU6unzxJRK4bgfW2NBM6aMqgLeQkKYIkd1Q/OXEWCXC4hQJepak+n34ChIrV RRHIBJ0GHRkEgHQgQUqPLS0fJlMYCaSZFmOAaqmigxVn1ErG3jTnFQPbPkfE5SCssFP2grNV N1ikJzOEpBLYA/4pOaJzSnZ0xx9aKPdUsyBksKmCsLQNiRt4ZTNFpJ2DJ8NbXYAFkrcu15og lrB//CVQj3CfkzUbpyfcwJHAho1K6XaPybI14znuorTJF3ml0qDd3XDkcmnF58s4hfvGHQtz +CEW+85gUF+T9jKLpwNGcNdBhbvdE6d3cSbR7dXeZsxiA4AmqqEhH6SnVmkSqmhX4+k6RksE MrHJnzefTyA4kXIR2QvD60nZXqta35VhhCzIcpkUpxcwABBR7C8nCxiGV7wNmGECgHv+Zl/O hQhWF1Ld1G93xCg7D+Nz0RerRdwtBOUatmCp+2HRTcRXNOW8jQARAQABtCNNYXJjdXMgQnJp bmttYW5uIDxtYXJjdXNAZ251cGcub3JnPokCTgQTAQgAOBYhBDyw6EQWrVL34YZUGIiwjVpX tiFABQJYvsfeAhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEIiwjVpXtiFAYdQP/jvj o7gm3tcDn8E2Pj2aOd8ajpKEajc3GZ4iDDXngTSPjvuQwB2PgUtfpzpOZW065OMXzMi3+XN9 ZY77Vp4xKhVh2+wxXd3b7jJArTfEave4RfVGlkWJXTrg2zbbwad/suZUT1Nqla4j0S6X7mtR oDVUFVivl7/9dGF4Ctldzms9uE0YktQs9xDl72igOhJX+RtGmM1rTgyncaSPam8KBQPYvLA+ bdTao/bB5wsW7PFBv2r2QOZthe/FGWbWanLuj2nQwdOvfr8RXKabTOzqPmBZwWCNSIfkzjCK m2KzpDkXghiJfK9jOgBSE4tGPieInZj6RSB2r848Uykshmwp0tFFMLIuJbn24czCLRwOuKbg IiWR9SzgENJwDqalBOjOS9jEGVsCzM0YctY6gMURbfv7RNevI7Q4rS6Tw4PmgCN4e8B69O5n Z0Ipf+brUfWL9rcsd9+Ugm8fpK8vykQpcRqYt+pSo5l6acZGgAa2AA8cxh87qbWQihB0ZiRo 2EH0t2DF8NDo32XHnQcuOR0R7JxhcJ3XCUaJr0SNSS3j4BVSE7Yso8T2hP7JdpwdFU88SUgC lX7DJspHtOYAIFldejMaFN3BDVx8+SgqDyEpGCHH04p3X95Wsev8ThRNpQ0dPqheOj2UKJWy ceddqC3VkGUpuTS9Q7xQBdwsX1Inp06ruQINBFZU6WABEAC3meKoeQn4r37Z1WCvl/lRVgwY LIEwGX94WCZODxPPEy2zTWStj45yv1ZrSI0HyAqssZzXPelOFJzlM8M+iccxIMRgjnnGJJR0 YqYUdraf1Z2YQk/x2WjYNUg0blChdyeqwBhLAQKtnPOKkTPZBBGzPjsS+JeB8yN5r4vouFGM G+CmYFUy4oCmcmuUrdLm9NlzM5ituyTJsPG9CDO834e4qlZsNW/yEzyPsYDW0PxJxgEe/WjL sDJ0aiwaDhBpR8/i2FfEUTGXl+6wvdXR9lhddBoiUCVlNRu9jiKVxv2JVJepcZa9B/atJwcs DAkZJgnjP0qRybixx/wo14KromgWVBGwpZ89sFEgZF6HcxPMKuWtieIORzs9kb0jpMFi1hW9 xi60UBHikrpDG9MnwA35d1lg/9kUlrF1nqTnyoz43UxntlgQejl6JcBR2Poaaib3ZtCR34yx slFz4znXBermA2eEvusEmjYJlxPWozW18grbSYUr1tCmjvKZAIMrspVx37+WSm/4fy8Mq9iq hkIweFQM10GL+fRQOGJTpSY/KiGxmkaTPtj9iaovJOcGAjUzzreGhi4toIrWWULPNKS6vuV4 VgMBF4XxIcVqC9I43yzJ6/cYciwL9bxoWQ4EpHuIG3sewvOWbceeDO9j9DRSd9E6GX67Nzrr uDPXOoge2QARAQABiQIfBBgBAgAJBQJWVOlgAhsMAAoJEIiwjVpXtiFAHBwP/3x5953X/1jR 2AegR6oHSF0HAD8kMnKLP5cwLqrOzUpCwqzFGBCbYdvxrWG106jyvcZdUvtBSGd8n1FuE2Wr pQrKgNjdRG65cN2kduk/w66Oq57EqSuO/r6OnadG9hgVZ1YP/QUsL6n4oF7coD0CJiH98UyL w1yP3Em1ONX8ditvMVHNudVC1VoEN1BFjIX9VWqWoU843vPct9wKi6jLYHHAX3UpnEJtfqLH Cj554s+0yhMhoaAIfNQZWU9iKzldM6Y0j8DJ/YBSThhw9S/TX7mClhXArJ/iPJSr6FPhlQMM cZRQaSiQu1gDL76I5G03SkBWCnXbSpeNtTeMiSpsA58c8rpr2T4giCiV29FPgEj4We2/jBrB cwWA/XjSLE2RNOnF2G65dVxHAlaCc84lC2+bh9kVU+Tb+9YDWfHyNO+pNk/Lpaef2Kg6ScKm te6+wVkWQZFTU8mgkHZqFvQk29RnV02phRTM0ryvWWldNgf3vzztS3iyD3GrJCPcxjm24cAf lp+7JfQ4qV/ec598k++HI4r3SfmSFKFcsxh+073p+oVjs5kIHxM0SExdjKewLOE3BKQYjn1r 17xWXogKlIGbTEluQ4Odyh4n88/iA8ZLNPKjvjno7UuwBsZyJxdaTOXlQYt+ZRZNfIBSWqv0 U9fYtp9qPuy4vCfkycCucIgO Message-ID: Date: Wed, 22 Jan 2020 15:31:26 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------04332C14DE5F76CD3DAC75F1" Content-Language: en-US X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de X-Virus-Status: Clean Archived-At: Subject: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jan 2020 14:31:38 -0000 This is a multi-part message in MIME format. --------------04332C14DE5F76CD3DAC75F1 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Hi, I have now read the paper "SHA-1 is a Shambles"[1,2] by Gaëtan Leurent and Thomas Peyrin, and want to bring to your attention the significance of the included work for OpenPGP. Key findings: The authors significantly improve the identical-prefix and chosen-prefix collisions for SHA-1, demonstrating that chosen-prefix collisions are possible at a cost of 45k USD. They also demonstrate how to use a chosen-prefix collision to transfer a signature that binds a photo-ID to a key to a crafted other key with a chosen user ID. Some more explanations: The attack works as follows: The attacker prepares a public key packet for a 8192 bit RSA key, and assigns an arbitrary user ID for which the attacker wants to get a certificate from the victim. The attacker also prepares another public key packet for a 6114 bit RSA key, followed by a user attribute packet with an innocent (honest) photo id. The JPEG format allows arbitrary trailing data hiding the user ID under attack. A signer that signs the photo id will inadvertently also sign the contained user ID. The signature can then be transfered to the colliding 8192-bit key with that user ID, because the signed hash is identical (the JPEG is hidden in the public exponent of the larger key). The attack is not stealthy and can be detected before and after the signature is made (for example by the user id in the jpeg or by the jpeg in the public key). Some observations and recommendations: * Obvious: do not use SHA-1 in signatures. GnuPG 2.x now forbids them, but GnuPG 1 users should be aware of that issue (among many other issues in GnuPG 1). * Large key sizes in RSA seem to make the attack simpler compared to short key sizes in ECC (which does not offer enough rooms for a collision block). * Do not sign photo ids. In fact, photo ids are problematic in many other ways and should be deprecated and not be used anymore. Support for user attribute packets should be dropped from the standard. * The authors could have easily created colliding public keys with identical (160 bit SHA-1) fingerprints, at the cost of 45k USD. Although I don't know about any attack made possible by owning such a pair of keys, the pure existence of a fingerprint collision could cause problems in some appliations, triggering potential bugs in code that assumes fingerprints can never be identical. * The attack complexity is 2^63.4, while long key IDS are 64 bit. Long key ID collisions based on the birthday collision have been demonstrated as early as 2013 [3, 4]. Just based on the bit complexity, a pre-image collision for long key IDs seems within reach now (up to an unknown constant factor). Thanks, Marcus [1] https://sha-mbles.github.io/ [2] https://eprint.iacr.org/2020/014.pdf [3] "OpenPGPv4 long keyid collision test cases?" (David Leon Gil) https://mailarchive.ietf.org/arch/msg/openpgp/Al8DzxTH2KT7vtFAgZ1q17Nub_g [4] "The Long Key ID Collider" (Chris Wellons) https://nullprogram.com/blog/2019/07/22/ -- Dipl.-Math. Marcus Brinkmann Lehrstuhl für Netz- und Datensicherheit Ruhr Universität Bochum Universitätsstr. 150, Geb. ID 2/461 D-44780 Bochum Telefon: +49 (0) 234 / 32-25030 http://www.nds.rub.de/chair/people/mbrinkmann --------------04332C14DE5F76CD3DAC75F1 Content-Type: application/pgp-keys; name="0x88B08D5A57B62140.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0x88B08D5A57B62140.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFZU6WABEADoVonKbB/tV0v25cm39DaSZyN7it70RhTZHLESbpDiHCwiAMi7 4MK/HB/qVR9LZDkTDF1x5xUnxxMHa2rpxO329dlk5dQFq1iELxIC/yBCEh5HMLT5 MkWqwb8UkINYpaFUcsQdPvdC2RzZ4Wt5/xX/6mvSnA4g7hSmUKwIiDX6489Fj5jH K3i0UQFnzKty3O7mqSbedTHsym2q6fPcIlEOvU6unzxJRK4bgfW2NBM6aMqgLeQk KYIkd1Q/OXEWCXC4hQJepak+n34ChIrVRRHIBJ0GHRkEgHQgQUqPLS0fJlMYCaSZ FmOAaqmigxVn1ErG3jTnFQPbPkfE5SCssFP2grNVN1ikJzOEpBLYA/4pOaJzSnZ0 xx9aKPdUsyBksKmCsLQNiRt4ZTNFpJ2DJ8NbXYAFkrcu15oglrB//CVQj3CfkzUb pyfcwJHAho1K6XaPybI14znuorTJF3ml0qDd3XDkcmnF58s4hfvGHQtz+CEW+85g UF+T9jKLpwNGcNdBhbvdE6d3cSbR7dXeZsxiA4AmqqEhH6SnVmkSqmhX4+k6RksE MrHJnzefTyA4kXIR2QvD60nZXqta35VhhCzIcpkUpxcwABBR7C8nCxiGV7wNmGEC gHv+Zl/OhQhWF1Ld1G93xCg7D+Nz0RerRdwtBOUatmCp+2HRTcRXNOW8jQARAQAB tCpNYXJjdXMgQnJpbmttYW5uIDxsYW1iZGFAb25pb25wcm9qZWN0Lm9yZz6JAjgE EwECACIFAlaytSoCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIiwjVpX tiFAmtAP/RuYwcb/iN4NffyJdP0Yjj/DsRRvYfeDH5SKG43rUxR1MgTs2mrC9Ejt 8Cs25N/SjP34I1Ki3u6OlVAxadfKXtE86o44wy9qiDgrrlkGGUFAu12B3zsaxLar GSD1Pryev6zxwsiWHTyf0e027503ae+gR73sKUueLxPsO9a2TRtOEy8xjEHoDp8H tkflfHZMAUelcZ3UUdznehs9jOwda1MDH6jdG21EY5md834mxrknHCo9GYsGynV/ 7Nu91QJiqLivMHuH9VDQzeymQieS/0m/qXEfnDNodwRh0CwO0qBSdTeuyXk1WSX/ d13VIBf9fc6dMVz+ZA4E4yFRL0HQrY4r/4zaI+yiISILvioy83lEnwHhlQoSPFiu 5LijUovf33tzi1m8Rt1mebaOuovJgeXvwa0xy7EtBaygPY/BAWSCw58XpjmftE0C xeKsRiW9lIsXS8G3h6nInN1N8teMgwFZjQsywnCU5G1XyikmL0vcB/HeiIxyzQD4 zocdkvEL4LgeYqNNmN13RV6cT1J+rEFzuUoJBZGpFF9dg/9g0kah8yL4qpr4+gdV 7TYLEWagXw1Pwzuhn+clg5GnuP0qO++eul/47ayY0c082oiostl9KZyUlu2C6zD+ JHfBLO/EKopETEdDnf0rj5zQ4HWVw78UJ17OAPGu3qLxUJuwRcJMtDZNYXJjdXMg QnJpbmttYW5uIDxtYXJjdXMuYnJpbmttYW5uQHJ1aHItdW5pLWJvY2h1bS5kZT6J AjgEEwECACIFAlZU6WACGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIiw jVpXtiFAHDUP/0PuDwhnCyn7b2S7Lrn0BBmi3LOS4ioalCZkV6BenkXydeGwJ9CV Vix9WEbiLzCz/DHfvz97l/T9lxcMbACc1tX5a+qvqydzKd2eXFnVdH1JaihqdhG7 sWYi22H1uWSyWbHd3rBZaDAts5Qialdg+WC0kHh9pkmmlUE3BIkTaIOA9k4J93hz 4QDOEO7xjB9XMOIRuasZ0lOOPraezS/pKLaQHlzPJZfoQEGL3ndn8U1FXZgR2DWh GtbClEvLaNXJ7RYhIlCeEwCwsTuGg48iDYC0+phvj/nwhZV60+EblR4Kux4DjY65 s4Rp4kIzh51PRE+bLHtULPx1x9X1x5ZekYQdgwf6doBIIauARZFaxI6dt3i+HSMj pga3k2Xn5iCaf6NeG1J2bh9sEAH7nntibOOp4sT8YR2SiQ5ab8PnDkydwbghUZcJ 39a/CZnN3f1RFeRX6d3zbfULPsf7o0LM/IvNKFvBoVzVb3AVYdhe5FNOE0DfhOe8 lpE88ofu+es6ECGumfR8UEcQc/O4dSyprngxZjjEdgdo5KqUkCEeGM8lVp+EFcmt LME3uqFhsUihk3YfF9NivZ0/0ZcLsmMp3zCZ9wS6HWr2UTkYrgc7Nr3YBClDs9W/ jurcSPMmpwwhq2ycWaMMMPqULS4cU2vhGKh6JDPqfIfXFQIfhiVwCMx1tCNNYXJj dXMgQnJpbmttYW5uIDxtYXJjdXNAZ251cGcub3JnPokCTgQTAQgAOBYhBDyw6EQW rVL34YZUGIiwjVpXtiFABQJYvsfeAhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheA AAoJEIiwjVpXtiFAYdQP/jvjo7gm3tcDn8E2Pj2aOd8ajpKEajc3GZ4iDDXngTSP jvuQwB2PgUtfpzpOZW065OMXzMi3+XN9ZY77Vp4xKhVh2+wxXd3b7jJArTfEave4 RfVGlkWJXTrg2zbbwad/suZUT1Nqla4j0S6X7mtRoDVUFVivl7/9dGF4Ctldzms9 uE0YktQs9xDl72igOhJX+RtGmM1rTgyncaSPam8KBQPYvLA+bdTao/bB5wsW7PFB v2r2QOZthe/FGWbWanLuj2nQwdOvfr8RXKabTOzqPmBZwWCNSIfkzjCKm2KzpDkX ghiJfK9jOgBSE4tGPieInZj6RSB2r848Uykshmwp0tFFMLIuJbn24czCLRwOuKbg IiWR9SzgENJwDqalBOjOS9jEGVsCzM0YctY6gMURbfv7RNevI7Q4rS6Tw4PmgCN4 e8B69O5nZ0Ipf+brUfWL9rcsd9+Ugm8fpK8vykQpcRqYt+pSo5l6acZGgAa2AA8c xh87qbWQihB0ZiRo2EH0t2DF8NDo32XHnQcuOR0R7JxhcJ3XCUaJr0SNSS3j4BVS E7Yso8T2hP7JdpwdFU88SUgClX7DJspHtOYAIFldejMaFN3BDVx8+SgqDyEpGCHH 04p3X95Wsev8ThRNpQ0dPqheOj2UKJWyceddqC3VkGUpuTS9Q7xQBdwsX1Inp06r uQINBFZU6WABEAC3meKoeQn4r37Z1WCvl/lRVgwYLIEwGX94WCZODxPPEy2zTWSt j45yv1ZrSI0HyAqssZzXPelOFJzlM8M+iccxIMRgjnnGJJR0YqYUdraf1Z2YQk/x 2WjYNUg0blChdyeqwBhLAQKtnPOKkTPZBBGzPjsS+JeB8yN5r4vouFGMG+CmYFUy 4oCmcmuUrdLm9NlzM5ituyTJsPG9CDO834e4qlZsNW/yEzyPsYDW0PxJxgEe/WjL sDJ0aiwaDhBpR8/i2FfEUTGXl+6wvdXR9lhddBoiUCVlNRu9jiKVxv2JVJepcZa9 B/atJwcsDAkZJgnjP0qRybixx/wo14KromgWVBGwpZ89sFEgZF6HcxPMKuWtieIO Rzs9kb0jpMFi1hW9xi60UBHikrpDG9MnwA35d1lg/9kUlrF1nqTnyoz43UxntlgQ ejl6JcBR2Poaaib3ZtCR34yxslFz4znXBermA2eEvusEmjYJlxPWozW18grbSYUr 1tCmjvKZAIMrspVx37+WSm/4fy8Mq9iqhkIweFQM10GL+fRQOGJTpSY/KiGxmkaT Ptj9iaovJOcGAjUzzreGhi4toIrWWULPNKS6vuV4VgMBF4XxIcVqC9I43yzJ6/cY ciwL9bxoWQ4EpHuIG3sewvOWbceeDO9j9DRSd9E6GX67NzrruDPXOoge2QARAQAB iQIfBBgBAgAJBQJWVOlgAhsMAAoJEIiwjVpXtiFAHBwP/3x5953X/1jR2AegR6oH SF0HAD8kMnKLP5cwLqrOzUpCwqzFGBCbYdvxrWG106jyvcZdUvtBSGd8n1FuE2Wr pQrKgNjdRG65cN2kduk/w66Oq57EqSuO/r6OnadG9hgVZ1YP/QUsL6n4oF7coD0C JiH98UyLw1yP3Em1ONX8ditvMVHNudVC1VoEN1BFjIX9VWqWoU843vPct9wKi6jL YHHAX3UpnEJtfqLHCj554s+0yhMhoaAIfNQZWU9iKzldM6Y0j8DJ/YBSThhw9S/T X7mClhXArJ/iPJSr6FPhlQMMcZRQaSiQu1gDL76I5G03SkBWCnXbSpeNtTeMiSps A58c8rpr2T4giCiV29FPgEj4We2/jBrBcwWA/XjSLE2RNOnF2G65dVxHAlaCc84l C2+bh9kVU+Tb+9YDWfHyNO+pNk/Lpaef2Kg6ScKmte6+wVkWQZFTU8mgkHZqFvQk 29RnV02phRTM0ryvWWldNgf3vzztS3iyD3GrJCPcxjm24cAflp+7JfQ4qV/ec598 k++HI4r3SfmSFKFcsxh+073p+oVjs5kIHxM0SExdjKewLOE3BKQYjn1r17xWXogK lIGbTEluQ4Odyh4n88/iA8ZLNPKjvjno7UuwBsZyJxdaTOXlQYt+ZRZNfIBSWqv0 U9fYtp9qPuy4vCfkycCucIgOuQENBFi25kABCADUbXnX8N8I5yAusdpoDMCsfTPM FrYzpJ2HV3POSuIbiaGMTqQfgcRJtWStzSoViSk9ZPr37jTkztRQYahOWysBwoRo nC8tod9deg8TKVCxP+TcvfH4jd9a73sY9XVyA9D/llrR6zkMBJxZObrf6JVC/Y/J Um7idEz7mlZovq+Yj+hU+9h7FTWSeP26ou7cXp2HmsdeGAYa9Mk0XWbuD4R/74Pk 4i22PHMRfMYHXeLhX2YLw6cNh2/5MjV4VNCURTdvzywwlLWUY6SziqqpGbSwUP+B AxstJS9gWU57b6pdPYVlRFf51cm3zukDSkR2ib7XwLpIl7enawBQPAyQgJvTABEB AAGJAjYEGAEIACAWIQQ8sOhEFq1S9+GGVBiIsI1aV7YhQAUCWLbmQAIbIAAKCRCI sI1aV7YhQHvHEACKKNcBwBX+9KLNaN/uwxmoQ7sj5LbbUpSpDDWuKHxponXf0s7k BCf/O7nQ88/CjU3tfcLAspNDWTk8jrt5aSWykiII78HL7a13xIZUnvkO6N2YSMf6 C7fngf2U51U00Lk6Q8k0jfypsYl+jBFFoNQXnccL1Hucpj4OsyFvqqZuMfVP6b8e mv9QaCD/3pdPIDsso9Dj/SpUjT8e67sy9PwP3kzkg4rV92znwZ+qpW/4EpEoQzVb 0jYalIqHRgM7qc1q1obyiPnnVPPhe4ICsjkBabInZo0NsCOHENB3YtV5Fjaahtbm 3/hMJQ1o2ovDl2w7gkzMM5EBFA+yy2zvZiBTFOjDHOj3Fr6UFDIGZN3GVEPO81cQ 0fdSeLP1zk55GXeUjo/kQMuT0o/SUjRyDjwAW6qXKtV2louIZV/ZPEO0kG/FS7p/ BqNbHw5mYjBqR2iu4FCG3YC/JJE/ZfHT8e5ht7Usn+/WPKoW0wsRN02DNj2xqfyB udyG54t4k6Ya/ZFGFF1GyJMyiDPdR+BVyHT15MqZdHVlQMSPtJS7Ydfbz9QWzCij HdXhYnOEGlWCUE5n680uw8vsW1lKanMpWpbZvIvsqhENt8Z0w2ywSNLXXlzSB4N7 Fx/Ab5R50Yc41KyxZPdeiFJvMC/o/9pm5wQg0NY7ohhCIa9p2Sqfw2B6rg=3D=3D =3D3zer -----END PGP PUBLIC KEY BLOCK----- --------------04332C14DE5F76CD3DAC75F1-- From nobody Wed Jan 22 13:19:58 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49E6F12001B for ; Wed, 22 Jan 2020 13:19:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hoTDcrbI3oFa for ; Wed, 22 Jan 2020 13:19:55 -0800 (PST) Received: from albireo.enyo.de (albireo.enyo.de [37.24.231.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B6F612008A for ; Wed, 22 Jan 2020 13:19:55 -0800 (PST) Received: from [172.17.203.2] (helo=deneb.enyo.de) by albireo.enyo.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1iuNPj-0004IF-ER; Wed, 22 Jan 2020 21:19:51 +0000 Received: from fw by deneb.enyo.de with local (Exim 4.92) (envelope-from ) id 1iuNOb-0008Th-Bo; Wed, 22 Jan 2020 22:18:41 +0100 From: Florian Weimer To: Marcus Brinkmann Cc: openpgp@ietf.org References: Date: Wed, 22 Jan 2020 22:18:41 +0100 In-Reply-To: (Marcus Brinkmann's message of "Wed, 22 Jan 2020 15:31:26 +0100") Message-ID: <878slzdwb2.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jan 2020 21:19:57 -0000 * Marcus Brinkmann: > * Do not sign photo ids. In fact, photo ids are problematic in many > other ways and should be deprecated and not be used anymore. Support for > user attribute packets should be dropped from the standard. I expect that a similar attack would work involving non-critical hashed subpackets in the private area. They should provide enough wiggle room. > * The authors could have easily created colliding public keys with > identical (160 bit SHA-1) fingerprints, at the cost of 45k USD. > Although I don't know about any attack made possible by owning such a > pair of keys, the pure existence of a fingerprint collision could cause > problems in some appliations, triggering potential bugs in code that > assumes fingerprints can never be identical. It would definitely be nice to have such colliding keys for testing purposes. From nobody Thu Jan 23 07:57:39 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 288FC120118 for ; Thu, 23 Jan 2020 07:57:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOjzPc8OYZEx for ; Thu, 23 Jan 2020 07:57:35 -0800 (PST) Received: from out3.mail.ruhr-uni-bochum.de (out3.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:8:1001::8693:359b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 261AB120113 for ; Thu, 23 Jan 2020 07:57:35 -0800 (PST) Received: from mx3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out3.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 483Rk24cXDz8SPN for ; Thu, 23 Jan 2020 16:57:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1579795050; bh=7Xag1AL4j2YLBpMDZbJUkLHva1iM9/YK+vPFh0wJGqM=; h=To:References:From:Subject:Date:In-Reply-To:From; b=j9xgY5J7Mc6Nw6CQMtnW61gR3hLi2TtiJOjnNM1L6s9HJqgT9brCBd62nZdUS/6IU mSmeUHtT9uAUgkoSHBfgqM/14gNtqI9n58i62WYKf/DkF0cdtkNPY/c4jw+YFbyzTi tgDpqkj1I0AIIvpqBjPqX7EuLZg1gX0jpcnWs91c= Received: from out3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx3.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 483Rk235Khz8SPC for ; Thu, 23 Jan 2020 16:57:30 +0100 (CET) X-Envelope-Sender: X-RUB-Notes: Internal origin=134.147.42.227 Received: from mail1.mail.ruhr-uni-bochum.de (mail1.mail.ruhr-uni-bochum.de [134.147.42.227]) by out3.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 483Rk22xQnz8SP5 for ; Thu, 23 Jan 2020 16:57:29 +0100 (CET) Received: from [IPv6:2a05:3e00:9:2100:ec74:ede5:536c:2940] (dyn-0492c6355ede47ce00129000.nds.ipv6.ruhr-uni-bochum.de [IPv6:2a05:3e00:9:2100:ec74:ede5:536c:2940]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 483Rk14CgwzyvB for ; Thu, 23 Jan 2020 16:57:29 +0100 (CET) To: openpgp@ietf.org References: <878slzdwb2.fsf@mid.deneb.enyo.de> From: Marcus Brinkmann Autocrypt: addr=marcus.brinkmann@rub.de; keydata= mQINBFZU6WABEADoVonKbB/tV0v25cm39DaSZyN7it70RhTZHLESbpDiHCwiAMi74MK/HB/q VR9LZDkTDF1x5xUnxxMHa2rpxO329dlk5dQFq1iELxIC/yBCEh5HMLT5MkWqwb8UkINYpaFU csQdPvdC2RzZ4Wt5/xX/6mvSnA4g7hSmUKwIiDX6489Fj5jHK3i0UQFnzKty3O7mqSbedTHs ym2q6fPcIlEOvU6unzxJRK4bgfW2NBM6aMqgLeQkKYIkd1Q/OXEWCXC4hQJepak+n34ChIrV RRHIBJ0GHRkEgHQgQUqPLS0fJlMYCaSZFmOAaqmigxVn1ErG3jTnFQPbPkfE5SCssFP2grNV N1ikJzOEpBLYA/4pOaJzSnZ0xx9aKPdUsyBksKmCsLQNiRt4ZTNFpJ2DJ8NbXYAFkrcu15og lrB//CVQj3CfkzUbpyfcwJHAho1K6XaPybI14znuorTJF3ml0qDd3XDkcmnF58s4hfvGHQtz +CEW+85gUF+T9jKLpwNGcNdBhbvdE6d3cSbR7dXeZsxiA4AmqqEhH6SnVmkSqmhX4+k6RksE MrHJnzefTyA4kXIR2QvD60nZXqta35VhhCzIcpkUpxcwABBR7C8nCxiGV7wNmGECgHv+Zl/O hQhWF1Ld1G93xCg7D+Nz0RerRdwtBOUatmCp+2HRTcRXNOW8jQARAQABtCNNYXJjdXMgQnJp bmttYW5uIDxtYXJjdXNAZ251cGcub3JnPokCTgQTAQgAOBYhBDyw6EQWrVL34YZUGIiwjVpX tiFABQJYvsfeAhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEIiwjVpXtiFAYdQP/jvj o7gm3tcDn8E2Pj2aOd8ajpKEajc3GZ4iDDXngTSPjvuQwB2PgUtfpzpOZW065OMXzMi3+XN9 ZY77Vp4xKhVh2+wxXd3b7jJArTfEave4RfVGlkWJXTrg2zbbwad/suZUT1Nqla4j0S6X7mtR oDVUFVivl7/9dGF4Ctldzms9uE0YktQs9xDl72igOhJX+RtGmM1rTgyncaSPam8KBQPYvLA+ bdTao/bB5wsW7PFBv2r2QOZthe/FGWbWanLuj2nQwdOvfr8RXKabTOzqPmBZwWCNSIfkzjCK m2KzpDkXghiJfK9jOgBSE4tGPieInZj6RSB2r848Uykshmwp0tFFMLIuJbn24czCLRwOuKbg IiWR9SzgENJwDqalBOjOS9jEGVsCzM0YctY6gMURbfv7RNevI7Q4rS6Tw4PmgCN4e8B69O5n Z0Ipf+brUfWL9rcsd9+Ugm8fpK8vykQpcRqYt+pSo5l6acZGgAa2AA8cxh87qbWQihB0ZiRo 2EH0t2DF8NDo32XHnQcuOR0R7JxhcJ3XCUaJr0SNSS3j4BVSE7Yso8T2hP7JdpwdFU88SUgC lX7DJspHtOYAIFldejMaFN3BDVx8+SgqDyEpGCHH04p3X95Wsev8ThRNpQ0dPqheOj2UKJWy ceddqC3VkGUpuTS9Q7xQBdwsX1Inp06ruQINBFZU6WABEAC3meKoeQn4r37Z1WCvl/lRVgwY LIEwGX94WCZODxPPEy2zTWStj45yv1ZrSI0HyAqssZzXPelOFJzlM8M+iccxIMRgjnnGJJR0 YqYUdraf1Z2YQk/x2WjYNUg0blChdyeqwBhLAQKtnPOKkTPZBBGzPjsS+JeB8yN5r4vouFGM G+CmYFUy4oCmcmuUrdLm9NlzM5ituyTJsPG9CDO834e4qlZsNW/yEzyPsYDW0PxJxgEe/WjL sDJ0aiwaDhBpR8/i2FfEUTGXl+6wvdXR9lhddBoiUCVlNRu9jiKVxv2JVJepcZa9B/atJwcs DAkZJgnjP0qRybixx/wo14KromgWVBGwpZ89sFEgZF6HcxPMKuWtieIORzs9kb0jpMFi1hW9 xi60UBHikrpDG9MnwA35d1lg/9kUlrF1nqTnyoz43UxntlgQejl6JcBR2Poaaib3ZtCR34yx slFz4znXBermA2eEvusEmjYJlxPWozW18grbSYUr1tCmjvKZAIMrspVx37+WSm/4fy8Mq9iq hkIweFQM10GL+fRQOGJTpSY/KiGxmkaTPtj9iaovJOcGAjUzzreGhi4toIrWWULPNKS6vuV4 VgMBF4XxIcVqC9I43yzJ6/cYciwL9bxoWQ4EpHuIG3sewvOWbceeDO9j9DRSd9E6GX67Nzrr uDPXOoge2QARAQABiQIfBBgBAgAJBQJWVOlgAhsMAAoJEIiwjVpXtiFAHBwP/3x5953X/1jR 2AegR6oHSF0HAD8kMnKLP5cwLqrOzUpCwqzFGBCbYdvxrWG106jyvcZdUvtBSGd8n1FuE2Wr pQrKgNjdRG65cN2kduk/w66Oq57EqSuO/r6OnadG9hgVZ1YP/QUsL6n4oF7coD0CJiH98UyL w1yP3Em1ONX8ditvMVHNudVC1VoEN1BFjIX9VWqWoU843vPct9wKi6jLYHHAX3UpnEJtfqLH Cj554s+0yhMhoaAIfNQZWU9iKzldM6Y0j8DJ/YBSThhw9S/TX7mClhXArJ/iPJSr6FPhlQMM cZRQaSiQu1gDL76I5G03SkBWCnXbSpeNtTeMiSpsA58c8rpr2T4giCiV29FPgEj4We2/jBrB cwWA/XjSLE2RNOnF2G65dVxHAlaCc84lC2+bh9kVU+Tb+9YDWfHyNO+pNk/Lpaef2Kg6ScKm te6+wVkWQZFTU8mgkHZqFvQk29RnV02phRTM0ryvWWldNgf3vzztS3iyD3GrJCPcxjm24cAf lp+7JfQ4qV/ec598k++HI4r3SfmSFKFcsxh+073p+oVjs5kIHxM0SExdjKewLOE3BKQYjn1r 17xWXogKlIGbTEluQ4Odyh4n88/iA8ZLNPKjvjno7UuwBsZyJxdaTOXlQYt+ZRZNfIBSWqv0 U9fYtp9qPuy4vCfkycCucIgO Message-ID: <99133cd4-cd9d-a364-2cd9-02f955096926@rub.de> Date: Thu, 23 Jan 2020 16:57:30 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <878slzdwb2.fsf@mid.deneb.enyo.de> Content-Type: multipart/mixed; boundary="------------2FE5771F39D01EA2B7AE2ECD" Content-Language: en-US X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de X-Virus-Status: Clean Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2020 15:57:38 -0000 This is a multi-part message in MIME format. --------------2FE5771F39D01EA2B7AE2ECD Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Hi, On 1/22/20 10:18 PM, Florian Weimer wrote: > * Marcus Brinkmann: > >> * Do not sign photo ids. In fact, photo ids are problematic in many >> other ways and should be deprecated and not be used anymore. Support for >> user attribute packets should be dropped from the standard. > > I expect that a similar attack would work involving non-critical > hashed subpackets in the private area. They should provide enough > wiggle room. You certainly can use hashed subpackets to get a collision, although the attacker would then need to control the content of such a subpacket during signing (which is not required by the setup in the paper). I have to add another point to the list of observations. From the paper: "We point out that the chosen-prefix collision is computed before choosing the UserIDs and images that will be used in the attack. Therefore, a single CPC can be reused to attack many different victims" Recommendation: It would be prudent for implementers to blacklist public keys starting with the same bits as the published colliding key for bob under https://sha-mbles.github.io/bob.asc. The author also describe an attack variant where the collision is made within the jpg, but this requires computing a new collision for each individual attack. They suspect that more variants are possible. Thanks, Marcus -- Dipl.-Math. Marcus Brinkmann Lehrstuhl für Netz- und Datensicherheit Ruhr Universität Bochum Universitätsstr. 150, Geb. ID 2/461 D-44780 Bochum Telefon: +49 (0) 234 / 32-25030 http://www.nds.rub.de/chair/people/mbrinkmann --------------2FE5771F39D01EA2B7AE2ECD Content-Type: application/pgp-keys; name="0x88B08D5A57B62140.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0x88B08D5A57B62140.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFZU6WABEADoVonKbB/tV0v25cm39DaSZyN7it70RhTZHLESbpDiHCwiAMi7 4MK/HB/qVR9LZDkTDF1x5xUnxxMHa2rpxO329dlk5dQFq1iELxIC/yBCEh5HMLT5 MkWqwb8UkINYpaFUcsQdPvdC2RzZ4Wt5/xX/6mvSnA4g7hSmUKwIiDX6489Fj5jH K3i0UQFnzKty3O7mqSbedTHsym2q6fPcIlEOvU6unzxJRK4bgfW2NBM6aMqgLeQk KYIkd1Q/OXEWCXC4hQJepak+n34ChIrVRRHIBJ0GHRkEgHQgQUqPLS0fJlMYCaSZ FmOAaqmigxVn1ErG3jTnFQPbPkfE5SCssFP2grNVN1ikJzOEpBLYA/4pOaJzSnZ0 xx9aKPdUsyBksKmCsLQNiRt4ZTNFpJ2DJ8NbXYAFkrcu15oglrB//CVQj3CfkzUb pyfcwJHAho1K6XaPybI14znuorTJF3ml0qDd3XDkcmnF58s4hfvGHQtz+CEW+85g UF+T9jKLpwNGcNdBhbvdE6d3cSbR7dXeZsxiA4AmqqEhH6SnVmkSqmhX4+k6RksE MrHJnzefTyA4kXIR2QvD60nZXqta35VhhCzIcpkUpxcwABBR7C8nCxiGV7wNmGEC gHv+Zl/OhQhWF1Ld1G93xCg7D+Nz0RerRdwtBOUatmCp+2HRTcRXNOW8jQARAQAB tCpNYXJjdXMgQnJpbmttYW5uIDxsYW1iZGFAb25pb25wcm9qZWN0Lm9yZz6JAjgE EwECACIFAlaytSoCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIiwjVpX tiFAmtAP/RuYwcb/iN4NffyJdP0Yjj/DsRRvYfeDH5SKG43rUxR1MgTs2mrC9Ejt 8Cs25N/SjP34I1Ki3u6OlVAxadfKXtE86o44wy9qiDgrrlkGGUFAu12B3zsaxLar GSD1Pryev6zxwsiWHTyf0e027503ae+gR73sKUueLxPsO9a2TRtOEy8xjEHoDp8H tkflfHZMAUelcZ3UUdznehs9jOwda1MDH6jdG21EY5md834mxrknHCo9GYsGynV/ 7Nu91QJiqLivMHuH9VDQzeymQieS/0m/qXEfnDNodwRh0CwO0qBSdTeuyXk1WSX/ d13VIBf9fc6dMVz+ZA4E4yFRL0HQrY4r/4zaI+yiISILvioy83lEnwHhlQoSPFiu 5LijUovf33tzi1m8Rt1mebaOuovJgeXvwa0xy7EtBaygPY/BAWSCw58XpjmftE0C xeKsRiW9lIsXS8G3h6nInN1N8teMgwFZjQsywnCU5G1XyikmL0vcB/HeiIxyzQD4 zocdkvEL4LgeYqNNmN13RV6cT1J+rEFzuUoJBZGpFF9dg/9g0kah8yL4qpr4+gdV 7TYLEWagXw1Pwzuhn+clg5GnuP0qO++eul/47ayY0c082oiostl9KZyUlu2C6zD+ JHfBLO/EKopETEdDnf0rj5zQ4HWVw78UJ17OAPGu3qLxUJuwRcJMtDZNYXJjdXMg QnJpbmttYW5uIDxtYXJjdXMuYnJpbmttYW5uQHJ1aHItdW5pLWJvY2h1bS5kZT6J AjgEEwECACIFAlZU6WACGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIiw jVpXtiFAHDUP/0PuDwhnCyn7b2S7Lrn0BBmi3LOS4ioalCZkV6BenkXydeGwJ9CV Vix9WEbiLzCz/DHfvz97l/T9lxcMbACc1tX5a+qvqydzKd2eXFnVdH1JaihqdhG7 sWYi22H1uWSyWbHd3rBZaDAts5Qialdg+WC0kHh9pkmmlUE3BIkTaIOA9k4J93hz 4QDOEO7xjB9XMOIRuasZ0lOOPraezS/pKLaQHlzPJZfoQEGL3ndn8U1FXZgR2DWh GtbClEvLaNXJ7RYhIlCeEwCwsTuGg48iDYC0+phvj/nwhZV60+EblR4Kux4DjY65 s4Rp4kIzh51PRE+bLHtULPx1x9X1x5ZekYQdgwf6doBIIauARZFaxI6dt3i+HSMj pga3k2Xn5iCaf6NeG1J2bh9sEAH7nntibOOp4sT8YR2SiQ5ab8PnDkydwbghUZcJ 39a/CZnN3f1RFeRX6d3zbfULPsf7o0LM/IvNKFvBoVzVb3AVYdhe5FNOE0DfhOe8 lpE88ofu+es6ECGumfR8UEcQc/O4dSyprngxZjjEdgdo5KqUkCEeGM8lVp+EFcmt LME3uqFhsUihk3YfF9NivZ0/0ZcLsmMp3zCZ9wS6HWr2UTkYrgc7Nr3YBClDs9W/ jurcSPMmpwwhq2ycWaMMMPqULS4cU2vhGKh6JDPqfIfXFQIfhiVwCMx1tCNNYXJj dXMgQnJpbmttYW5uIDxtYXJjdXNAZ251cGcub3JnPokCTgQTAQgAOBYhBDyw6EQW rVL34YZUGIiwjVpXtiFABQJYvsfeAhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheA AAoJEIiwjVpXtiFAYdQP/jvjo7gm3tcDn8E2Pj2aOd8ajpKEajc3GZ4iDDXngTSP jvuQwB2PgUtfpzpOZW065OMXzMi3+XN9ZY77Vp4xKhVh2+wxXd3b7jJArTfEave4 RfVGlkWJXTrg2zbbwad/suZUT1Nqla4j0S6X7mtRoDVUFVivl7/9dGF4Ctldzms9 uE0YktQs9xDl72igOhJX+RtGmM1rTgyncaSPam8KBQPYvLA+bdTao/bB5wsW7PFB v2r2QOZthe/FGWbWanLuj2nQwdOvfr8RXKabTOzqPmBZwWCNSIfkzjCKm2KzpDkX ghiJfK9jOgBSE4tGPieInZj6RSB2r848Uykshmwp0tFFMLIuJbn24czCLRwOuKbg IiWR9SzgENJwDqalBOjOS9jEGVsCzM0YctY6gMURbfv7RNevI7Q4rS6Tw4PmgCN4 e8B69O5nZ0Ipf+brUfWL9rcsd9+Ugm8fpK8vykQpcRqYt+pSo5l6acZGgAa2AA8c xh87qbWQihB0ZiRo2EH0t2DF8NDo32XHnQcuOR0R7JxhcJ3XCUaJr0SNSS3j4BVS E7Yso8T2hP7JdpwdFU88SUgClX7DJspHtOYAIFldejMaFN3BDVx8+SgqDyEpGCHH 04p3X95Wsev8ThRNpQ0dPqheOj2UKJWyceddqC3VkGUpuTS9Q7xQBdwsX1Inp06r uQINBFZU6WABEAC3meKoeQn4r37Z1WCvl/lRVgwYLIEwGX94WCZODxPPEy2zTWSt j45yv1ZrSI0HyAqssZzXPelOFJzlM8M+iccxIMRgjnnGJJR0YqYUdraf1Z2YQk/x 2WjYNUg0blChdyeqwBhLAQKtnPOKkTPZBBGzPjsS+JeB8yN5r4vouFGMG+CmYFUy 4oCmcmuUrdLm9NlzM5ituyTJsPG9CDO834e4qlZsNW/yEzyPsYDW0PxJxgEe/WjL sDJ0aiwaDhBpR8/i2FfEUTGXl+6wvdXR9lhddBoiUCVlNRu9jiKVxv2JVJepcZa9 B/atJwcsDAkZJgnjP0qRybixx/wo14KromgWVBGwpZ89sFEgZF6HcxPMKuWtieIO Rzs9kb0jpMFi1hW9xi60UBHikrpDG9MnwA35d1lg/9kUlrF1nqTnyoz43UxntlgQ ejl6JcBR2Poaaib3ZtCR34yxslFz4znXBermA2eEvusEmjYJlxPWozW18grbSYUr 1tCmjvKZAIMrspVx37+WSm/4fy8Mq9iqhkIweFQM10GL+fRQOGJTpSY/KiGxmkaT Ptj9iaovJOcGAjUzzreGhi4toIrWWULPNKS6vuV4VgMBF4XxIcVqC9I43yzJ6/cY ciwL9bxoWQ4EpHuIG3sewvOWbceeDO9j9DRSd9E6GX67NzrruDPXOoge2QARAQAB iQIfBBgBAgAJBQJWVOlgAhsMAAoJEIiwjVpXtiFAHBwP/3x5953X/1jR2AegR6oH SF0HAD8kMnKLP5cwLqrOzUpCwqzFGBCbYdvxrWG106jyvcZdUvtBSGd8n1FuE2Wr pQrKgNjdRG65cN2kduk/w66Oq57EqSuO/r6OnadG9hgVZ1YP/QUsL6n4oF7coD0C JiH98UyLw1yP3Em1ONX8ditvMVHNudVC1VoEN1BFjIX9VWqWoU843vPct9wKi6jL YHHAX3UpnEJtfqLHCj554s+0yhMhoaAIfNQZWU9iKzldM6Y0j8DJ/YBSThhw9S/T X7mClhXArJ/iPJSr6FPhlQMMcZRQaSiQu1gDL76I5G03SkBWCnXbSpeNtTeMiSps A58c8rpr2T4giCiV29FPgEj4We2/jBrBcwWA/XjSLE2RNOnF2G65dVxHAlaCc84l C2+bh9kVU+Tb+9YDWfHyNO+pNk/Lpaef2Kg6ScKmte6+wVkWQZFTU8mgkHZqFvQk 29RnV02phRTM0ryvWWldNgf3vzztS3iyD3GrJCPcxjm24cAflp+7JfQ4qV/ec598 k++HI4r3SfmSFKFcsxh+073p+oVjs5kIHxM0SExdjKewLOE3BKQYjn1r17xWXogK lIGbTEluQ4Odyh4n88/iA8ZLNPKjvjno7UuwBsZyJxdaTOXlQYt+ZRZNfIBSWqv0 U9fYtp9qPuy4vCfkycCucIgOuQENBFi25kABCADUbXnX8N8I5yAusdpoDMCsfTPM FrYzpJ2HV3POSuIbiaGMTqQfgcRJtWStzSoViSk9ZPr37jTkztRQYahOWysBwoRo nC8tod9deg8TKVCxP+TcvfH4jd9a73sY9XVyA9D/llrR6zkMBJxZObrf6JVC/Y/J Um7idEz7mlZovq+Yj+hU+9h7FTWSeP26ou7cXp2HmsdeGAYa9Mk0XWbuD4R/74Pk 4i22PHMRfMYHXeLhX2YLw6cNh2/5MjV4VNCURTdvzywwlLWUY6SziqqpGbSwUP+B AxstJS9gWU57b6pdPYVlRFf51cm3zukDSkR2ib7XwLpIl7enawBQPAyQgJvTABEB AAGJAjYEGAEIACAWIQQ8sOhEFq1S9+GGVBiIsI1aV7YhQAUCWLbmQAIbIAAKCRCI sI1aV7YhQHvHEACKKNcBwBX+9KLNaN/uwxmoQ7sj5LbbUpSpDDWuKHxponXf0s7k BCf/O7nQ88/CjU3tfcLAspNDWTk8jrt5aSWykiII78HL7a13xIZUnvkO6N2YSMf6 C7fngf2U51U00Lk6Q8k0jfypsYl+jBFFoNQXnccL1Hucpj4OsyFvqqZuMfVP6b8e mv9QaCD/3pdPIDsso9Dj/SpUjT8e67sy9PwP3kzkg4rV92znwZ+qpW/4EpEoQzVb 0jYalIqHRgM7qc1q1obyiPnnVPPhe4ICsjkBabInZo0NsCOHENB3YtV5Fjaahtbm 3/hMJQ1o2ovDl2w7gkzMM5EBFA+yy2zvZiBTFOjDHOj3Fr6UFDIGZN3GVEPO81cQ 0fdSeLP1zk55GXeUjo/kQMuT0o/SUjRyDjwAW6qXKtV2louIZV/ZPEO0kG/FS7p/ BqNbHw5mYjBqR2iu4FCG3YC/JJE/ZfHT8e5ht7Usn+/WPKoW0wsRN02DNj2xqfyB udyG54t4k6Ya/ZFGFF1GyJMyiDPdR+BVyHT15MqZdHVlQMSPtJS7Ydfbz9QWzCij HdXhYnOEGlWCUE5n680uw8vsW1lKanMpWpbZvIvsqhENt8Z0w2ywSNLXXlzSB4N7 Fx/Ab5R50Yc41KyxZPdeiFJvMC/o/9pm5wQg0NY7ohhCIa9p2Sqfw2B6rg=3D=3D =3D3zer -----END PGP PUBLIC KEY BLOCK----- --------------2FE5771F39D01EA2B7AE2ECD-- From nobody Thu Jan 23 14:56:47 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74E96120105 for ; Thu, 23 Jan 2020 14:56:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.101 X-Spam-Level: X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kuix.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AvPIazQKAkk9 for ; Thu, 23 Jan 2020 14:56:43 -0800 (PST) Received: from cloud.kuix.de (cloud.kuix.de [93.90.207.85]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7265A1200F3 for ; Thu, 23 Jan 2020 14:56:43 -0800 (PST) Received: from [10.137.0.12] (ip-95-223-75-131.hsi16.unitymediagroup.de [95.223.75.131]) by cloud.kuix.de (Postfix) with ESMTPSA id B0ED2185129; Thu, 23 Jan 2020 22:56:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kuix.de; s=2018; t=1579820200; bh=FpfI+nKsGTEh6LXiEqxwMgw/tBBApiAwxKWoOILkym8=; h=To:References:From:Subject:Date:In-Reply-To:From; b=bq0RTT5idVmw9bNRKY/HIz/iZe9KdgJccu1WwYBGIrNcMFTp79uwBKkh5csEtX65K afIKZpLh72MbdCgyqTbmN8sf1zM7TbKfQZ7Kz253oZqKTxiRpNzcBMRMTbh2ICBjaf 3CPl1NtW/D/innB9wYDyCcs8Olwq/1d844HiaaKFZnWCv1Pt3F5dJebP5zBXlrDH41 NuNVL+GXH80LXZSYkCe1Yz7wzwmV/BiCY66I+uzyMqro56t+c3cpkJ4Y+h9BfnsXWh LMVN8xREq9m0o2ynmDbH5/woZl+f6xQHW/mVd1fb2aOdn2QOM4f8O5J1TM2Qc5pi1a iyKT+PT5NtNNQ== To: Marcus Brinkmann , openpgp@ietf.org References: From: Kai Engert Message-ID: Date: Thu, 23 Jan 2020 23:56:39 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Thunderbird/68.4.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2020 22:56:46 -0000 On 22.01.20 15:31, Marcus Brinkmann wrote: > * The authors could have easily created colliding public keys with > identical (160 bit SHA-1) fingerprints, at the cost of 45k USD. > Although I don't know about any attack made possible by owning such a > pair of keys, the pure existence of a fingerprint collision could cause > problems in some appliations, triggering potential bugs in code that > assumes fingerprints can never be identical. Does this mean, anyone can create a key pair that has the same fingerprint as I have on my business card, by spending that amount of money? Does this mean, comparing a 20 bytes (40 hex digits) fingerprint, as printed by e.g. GnuPG 2.2.x, is no longer a reliable way to verify you have obtained the correct key? Thanks Kai From nobody Thu Jan 23 15:08:14 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FCCC1200BA for ; Thu, 23 Jan 2020 15:08:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hush.ai Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zdkxr6Q607VV for ; Thu, 23 Jan 2020 15:08:12 -0800 (PST) Received: from smtp5.hushmail.com (smtp5.hushmail.com [65.39.178.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2E5312008A for ; Thu, 23 Jan 2020 15:08:11 -0800 (PST) Received: from smtp5.hushmail.com (localhost [127.0.0.1]) by smtp5.hushmail.com (Postfix) with SMTP id 4BCD6202AC for ; Thu, 23 Jan 2020 23:08:11 +0000 (UTC) X-hush-tls-connected: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=hush.ai; h=date:to:subject:from; s=hush; bh=YqvxG0Du+o8YA1gfMKeM8Ea5pmjDgkc7ZC48tr58ZC4=; b=OXRtWomSx0v8nMiRadj9M25wUa7Oe3T8Z/XsXJlZEU8HUdHrLUo+u9t4gZCMFraAnxMvp7iqXou/DNgXR34SzdqLI5pPNpsRWSboMC51FQL96lN7Vb/xLWvhNsj3MTbNWykzdU61yqXwxUZ0HE90Nh8FuYhDwXSiUMz2WCAETrJHWdn5l3YzGUMyZfd7jXGoJ5XtgGvudl9sO6aakfnWWOJ5siWeC+350+dHKsuH6R67esdBesRe2MI6a4YGJ5IBSUSx6KiTAN/lJ3zaAs2uDXI0eExecnYBXBuIWUCrDOrjAdgrVU877X/baEXNwwigFho9PVwzsYlXHHHIA6h7TA== Received: from smtp.hushmail.com (w3.hushmail.com [65.39.178.62]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp5.hushmail.com (Postfix) with ESMTPS; Thu, 23 Jan 2020 23:08:10 +0000 (UTC) Received: by smtp.hushmail.com (Postfix, from userid 99) id D979DC0640; Thu, 23 Jan 2020 23:08:10 +0000 (UTC) MIME-Version: 1.0 Date: Thu, 23 Jan 2020 18:08:10 -0500 To: "Kai Engert" , openpgp@ietf.org From: vedaal@nym.hush.com In-Reply-To: References: Content-Type: multipart/alternative; boundary="=_8d7721bce9998859d68dd6e9f790c56a" Message-Id: <20200123230810.D979DC0640@smtp.hushmail.com> Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2020 23:08:13 -0000 --=_8d7721bce9998859d68dd6e9f790c56a Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="UTF-8" On 1/23/2020 at 5:57 PM, "Kai Engert" wrote:On 22.01.20 15:31, Marcus Brinkmann wrote: > * The authors could have easily created colliding public keys with > identical (160 bit SHA-1) fingerprints, at the cost of 45k USD. > Although I don't know about any attack made possible by owning such a > pair of keys, the pure existence of a fingerprint collision could cause > problems in some appliations, triggering potential bugs in code that > assumes fingerprints can never be identical. Does this mean, anyone can create a key pair that has the same fingerprint as I have on my business card, by spending that amount of money? ===== I have not checked the original paper, but I *think* they were talking about making a key collision, with a given 160 bit SHA-1 fingerprint, but *without* the same name, and e-mail address, which would be much less of a practical threat. Anybody, please correct, if I am wrong, and they did include the name and e-mail in the proposal for a successful collision. Thanks, vedaal --=_8d7721bce9998859d68dd6e9f790c56a Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="UTF-8" On 1/23/202= 0 at 5:57 PM, "Kai Engert" <kaie@kuix.de> wrote:
On 22.01.20= 15:31, Marcus Brinkmann wrote:
> * The authors could have easily cre= ated colliding public keys with
> identical (160 bit SHA-1) fingerpri= nts, at the cost of 45k USD.
> Although I don't know about any attack= made possible by owning such a
> pair of keys, the pure existence of= a fingerprint collision could cause
> problems in some appliations, = triggering potential bugs in code that
> assumes fingerprints can nev= er be identical.

Does this mean, anyone can create a key pair that h= as the same
fingerprint as I have on my business card, by spending that= amount of money?

=3D=3D=3D=3D=3D


I have not checked the = original paper, but I *think* they were talking about making a key collisio= n,
with a given 160 bit SHA-1 fingerprint,
but *without* the same na= me, and e-mail address,
which would be much less of a practical threat.<= br>
Anybody, please correct, if I am wrong, and they did include the nam= e and e-mail in the proposal for a successful collision.

Thanks,
=
vedaal
 --=_8d7721bce9998859d68dd6e9f790c56a-- From nobody Thu Jan 23 15:48:53 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EB7C12001A for ; Thu, 23 Jan 2020 15:48:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8_NMSeO8aK87 for ; Thu, 23 Jan 2020 15:48:49 -0800 (PST) Received: from out2.mail.ruhr-uni-bochum.de (out2.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001::8693:2ae5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E25D0120019 for ; Thu, 23 Jan 2020 15:48:48 -0800 (PST) Received: from mx2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out2.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 483f9m3ts6z8S6M for ; Fri, 24 Jan 2020 00:48:44 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1579823324; bh=PRhuqcK6OTmuJxdcTqBr1AaZ112lDp4HonhQLzPq+RY=; h=Subject:References:From:To:Date:In-Reply-To:From; b=Ug+chy/33alajqNQ5UXlL/avRDYcBiCJsw/KbJePgVfQ2y01Q+z5230UJgBJIe/Ub NyJxc0/tGDSGnwJ2EpiB1W037MOFqU0ie/qRG3Dm4X7VIrmhzIxjfJPTIapmFuIqVc OM+VlRYO40T+pNo34NMYGyNZ6v3EXx3cZN7IyMQo= Received: from out2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx2.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 483f9m2Fq4z8S4K for ; Fri, 24 Jan 2020 00:48:44 +0100 (CET) X-RUB-Notes: Internal origin=IPv6:2a05:3e00:c:1001:5054:ff:fe37:b9e4 X-Envelope-Sender: Received: from mail1.mail.ruhr-uni-bochum.de (mail1.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001:5054:ff:fe37:b9e4]) by out2.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 483f9l6mzbz8S47 for ; Fri, 24 Jan 2020 00:48:43 +0100 (CET) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.102.1 at mx2.mail.ruhr-uni-bochum.de Received: from [192.168.142.139] (p5DCA495B.dip0.t-ipconnect.de [93.202.73.91]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 483f9k6JNxzysk for ; Fri, 24 Jan 2020 00:48:42 +0100 (CET) References: From: Marcus Brinkmann To: IETF OpenPGP Message-ID: <602eeb15-fccf-fe61-7b28-7dea35d3af15@rub.de> Date: Fri, 24 Jan 2020 00:48:43 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de X-Virus-Status: Clean Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2020 23:48:52 -0000 Hi, On 1/23/20 11:56 PM, Kai Engert wrote: > On 22.01.20 15:31, Marcus Brinkmann wrote: >> * The authors could have easily created colliding public keys with >> identical (160 bit SHA-1) fingerprints, at the cost of 45k USD. >> Although I don't know about any attack made possible by owning such a >> pair of keys, the pure existence of a fingerprint collision could cause >> problems in some appliations, triggering potential bugs in code that >> assumes fingerprints can never be identical. > > Does this mean, anyone can create a key pair that has the same > fingerprint as I have on my business card, by spending that amount of > money? No. That is something that we would call a "second pre-image attack" on your fingerprint. The collision attacks described in the paper generate two colliding files from scratch. So, the attacker could come up with two entirely new keys that have identical fingerprints. As I said, I don't know any attack that would be enabled by such two keys, but it is concerning, because software might not be prepared for that to happen. Pre-image attacks are much harder than collision attacks (which are easier due to the "birthday paradox"). However, it is not good practice to hold on to a cryptographic hash function for a long time just because one narrow particular application of it has not been demonstrated publicy to be broken in practice yet. We pretty much know the progression in which hash function attacks improve, and interest in researching an obsolete hash function decreases pretty rapidly. I'm glad the authors spent the time and money to demonstrate their optimized attacks on SHA-1, but such expenses will be increasingly hard to justify. > Does this mean, comparing a 20 bytes (40 hex digits) fingerprint, as > printed by e.g. GnuPG 2.2.x, is no longer a reliable way to verify you > have obtained the correct key? The answer to this would formally be "yes", because after creating two such keys, the attacker could first show you one key, and, later on show you the other key and if the only thing you remember about the first key is the fingerprint, you have no way to notice the swap. The question if this is an actual problem (i.e.: violates a security goal that the user is actually interested in) is more difficult to answer and depends on many details. Figuring this out would require a careful review of OpenPGP implementations and applications using OpenPGP. Thanks, Marcus -- Dipl.-Math. Marcus Brinkmann Lehrstuhl für Netz- und Datensicherheit Ruhr Universität Bochum Universitätsstr. 150, Geb. ID 2/461 D-44780 Bochum Telefon: +49 (0) 234 / 32-25030 http://www.nds.rub.de/chair/people/mbrinkmann From nobody Thu Jan 23 16:00:52 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 882FE1200C7 for ; Thu, 23 Jan 2020 16:00:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQ_JY1rgGCRj for ; Thu, 23 Jan 2020 16:00:47 -0800 (PST) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71C2812001A for ; Thu, 23 Jan 2020 16:00:46 -0800 (PST) Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 5A48538982; Thu, 23 Jan 2020 19:00:12 -0500 (EST) Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id D5A8F9B0; Thu, 23 Jan 2020 19:00:45 -0500 (EST) From: Michael Richardson To: Kai Engert cc: Marcus Brinkmann , openpgp@ietf.org In-Reply-To: References: X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2020 00:00:50 -0000 --=-=-= Content-Type: text/plain Kai Engert wrote: >> * The authors could have easily created colliding public keys with >> identical (160 bit SHA-1) fingerprints, at the cost of 45k USD. >> Although I don't know about any attack made possible by owning such a >> pair of keys, the pure existence of a fingerprint collision could cause >> problems in some appliations, triggering potential bugs in code that >> assumes fingerprints can never be identical. > Does this mean, anyone can create a key pair that has the same fingerprint as > I have on my business card, by spending that amount of money? I did not read that. It could be true, but I did not conclude that. I read that they can forge a signature from you (or me), on a key, attesting to your email address being attached to your key. So, they can attach a different key, with a different fingerprint, to your email address, with a signature that appears to come from either of us. > Does this mean, comparing a 20 bytes (40 hex digits) fingerprint, as printed > by e.g. GnuPG 2.2.x, is no longer a reliable way to verify you have obtained > the correct key? I don't believe that this is the case. I don't believe that there is anything in the bytes that goes into the fingerprint that would permit a JPEG to be inserted to provide the mutable bytes needed. I also want to say that constructs that use HMAC-SHA1 (IPsec, TLS) are not affected. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAl4qM60ACgkQgItw+93Q 3WV30wf+NEWhaq1YB7YoZfHhOjnE0hMlRfTmHIS57QtmBLQXtWnj8aH7p2v8cGA/ 9s9Pvy64HJVDOsLy14h0Vt/dNonOjJrZ4NwfJcngtFCrl91cNtRiuD5Oxso6cWWB AFxsTEuv0XoOhpUi3ndrZEEroHqzGN4En6k+x8hfnkF7r0hW0jGAl/G/3wmE26Hx 6Ngh8agZCCtQ61iH19XJG3QoH7x0EKA+cALsd+XsLXJsgqzPX904GJObfu426YCM SFyBhUaJX71ql1RkaqrK4NO+LFIAc9mRvFALaVb85IoFvI58W5Ie7US0e9luPgaL 1b9nr9c7q77JkULYTTWsQH68NsBbEg== =JBTM -----END PGP SIGNATURE----- --=-=-=-- From nobody Thu Jan 23 16:22:35 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6F86120041 for ; Thu, 23 Jan 2020 16:22:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=incenp.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CL44LL6mMjJy for ; Thu, 23 Jan 2020 16:22:32 -0800 (PST) Received: from mail.incenp.org (mail.incenp.org [51.254.143.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31A0B120019 for ; Thu, 23 Jan 2020 16:22:32 -0800 (PST) Received: from localhost (dgouttegattat.plus.com [81.174.245.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.incenp.org (Postfix) with ESMTPSA id 7B22B201CA; Fri, 24 Jan 2020 01:22:28 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=incenp.org; s=201912; t=1579825348; bh=9zx50/bHmTZt59JLYVWkFUVcHq3a6iaYftNZRHjywFs=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Rpha8uD/UKiLmsO1w6WJ3nlYKyyytO2Q1zap7SgbpsVXZdcXocYxfWdnG9SzbvEp8 i0gTO/FisG1dz62ZpQ8ZiFFhEaBgEgzStb9gf3lLRnaHtf0wqRoU7J3WCU0L3kLNTE wFnys+UnW4878cOeDW+O3VxpMoA76ZBTXMRkIWPM= Date: Fri, 24 Jan 2020 00:22:28 +0000 From: Damien Goutte-Gattat To: Kai Engert Cc: Marcus Brinkmann , openpgp@ietf.org Message-ID: <20200124002228.ek7bcwlbghuoborr@dynein.local.incenp.org> OpenPGP: id=4FA2082362FE73AD03B88830A8DC7067E25FBABB; url=https://incenp.org/srv/dgouttegattat.asc; preference=signencrypt References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4prwhd5shq5ie7sj" Content-Disposition: inline In-Reply-To: Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2020 00:22:35 -0000 --4prwhd5shq5ie7sj Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 23, 2020 at 11:56:39PM +0100, Kai Engert wrote: >Does this mean, anyone can create a key pair that has the same=20 >fingerprint as I have on my business card, by spending that amount of=20 >money? No. What they have done is generate two keys in such a way that a SHA-1=20 certification on one key is also a valid certification for the other=20 key. It means that someone can: 1) create a key A with *your* user ID; 2) create a key *B* with a different user ID; 3) have someone certify the key B with a SHA-1-based signature; 4) attach that signature to key *A* and your user ID. At the end, that someone gets a key with your name and a=20 cryptographically valid signature (or even several signatures, if the=20 attacker repeats steps 3 and 4). She can thus impersonate you to anyone=20 trusting the signer(s) involved at step 3. What Marcus says the author *could* have done is to generate the two=20 keys A and B in such a way that they also have the same fingerprint.=20 They have not done so, as one can easily verify e.g. by running `gpg=20 --list-packets` on the provided keys (they don=E2=80=99t even have the same= =20 short key ID). In the scenario outlined above, I am not sure the=20 attacker would have anything to gain in having the two keys A and B=20 sharing the same fingerprint anyway, which may explain why the authors=20 did not try. They don=E2=80=99t even discuss that possibility. In any case, the attack does *not* allow to generate a key with the same=20 fingerprint as a pre-existing, un-related key. Cheers, - Damien --4prwhd5shq5ie7sj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQSAzBuNBMJi3f7hmAxvfw+R0Tj8ewUCXio4wQAKCRBvfw+R0Tj8 e6ZuAQD6p6Hslw89dv9bgEqjrmeiFoQhE6KZJQkbIJTcl7Ud1AD/Yvk6Vl5zYiZu aliJu+W6LlYDBIV8BhHe1B+G+hV5aw4= =BUIz -----END PGP SIGNATURE----- --4prwhd5shq5ie7sj-- From nobody Fri Jan 24 08:57:16 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45126120AA5 for ; Fri, 24 Jan 2020 08:57:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 899shRbJPE-5 for ; Fri, 24 Jan 2020 08:57:11 -0800 (PST) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F872120AA2 for ; Fri, 24 Jan 2020 08:57:11 -0800 (PST) Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id CBBA23897F; Fri, 24 Jan 2020 11:56:35 -0500 (EST) Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id DA280B56; Fri, 24 Jan 2020 11:57:09 -0500 (EST) From: Michael Richardson To: Damien Goutte-Gattat cc: Kai Engert , Marcus Brinkmann , openpgp@ietf.org In-Reply-To: <20200124002228.ek7bcwlbghuoborr@dynein.local.incenp.org> References: <20200124002228.ek7bcwlbghuoborr@dynein.local.incenp.org> X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2020 16:57:13 -0000 --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Damien Goutte-Gattat wrote: > What Marcus says the author *could* have done is to generate the two keys A > and B in such a way that they also have the same fingerprint. They have > not I'm not convinced that there are enough under-determined bytes that can be mutated in the content that goes into making the fingerprint. AFAIK, it's just the key. I guess, maybe if the key is big enough (rsa 8K, bigger), that the bytes could be in the prime itself. Are you saying that? If so, I wonder what the smallest key for which this is true is. --=-=-= Content-Type: text/plain Content-Disposition: inline Content-Description: Signature -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAl4rIeUACgkQgItw+93Q 3WWDiggAjv8AkCbtgcVhMWzI2iTHPgGNcCEjInWlUxBuCoiA2MINwxqqUc0OJBsN UyKyXq/+yX3YUsbBMfZC+gWVoXrhmXJHa7BmwrIC6It2HyBPVT21GWkRH637ljpU pP+0MtuXB9cbBbPhP2bq/mS4uYbr507i+Ygpbbmwx0Z9sCacaL2WW0mIRA+Y1Dy4 wTyjBNIRXgpz1wiLB2ajdDh4wVWUIUqmIdSysemUH8pa1oorrXuQeMaUVLso0Eqf TU/s782TYh+W7J3LC9TSiRRT5BHzl++/r+WJDL4ypSx1LaNscSs3UiBpO15tH5y1 GMzX7JNI7+jBeAlD6ybPJTu1wRJCmA== =+14G -----END PGP SIGNATURE----- --==-=-=-- From nobody Fri Jan 24 09:00:59 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7798A120AE8 for ; Fri, 24 Jan 2020 09:00:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaY2o38HsCdO for ; Fri, 24 Jan 2020 09:00:52 -0800 (PST) Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14F90120AE9 for ; Fri, 24 Jan 2020 09:00:52 -0800 (PST) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 18DA03897F; Fri, 24 Jan 2020 12:00:17 -0500 (EST) Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 2E21DB56; Fri, 24 Jan 2020 12:00:51 -0500 (EST) From: Michael Richardson To: Marcus Brinkmann cc: IETF OpenPGP In-Reply-To: <602eeb15-fccf-fe61-7b28-7dea35d3af15@rub.de> References: <602eeb15-fccf-fe61-7b28-7dea35d3af15@rub.de> X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2020 17:00:58 -0000 --=-=-= Content-Type: text/plain Marcus Brinkmann wrote: >> Does this mean, comparing a 20 bytes (40 hex digits) fingerprint, as >> printed by e.g. GnuPG 2.2.x, is no longer a reliable way to verify you >> have obtained the correct key? > The answer to this would formally be "yes", because after creating two > such keys, the attacker could first show you one key, and, later on show > you the other key and if the only thing you remember about the first key > is the fingerprint, you have no way to notice the swap. Would the attacker have to control the private keys of both generated keys to accomplish this? I don't entirely see why. Clearly the signatures generated by the two keys (with identical fingerprints) would also be different (assume that the signatures were calculated on a SHA256 hash, to remove an attack from that side). > The question if this is an actual problem (i.e.: violates a security > goal that the user is actually interested in) is more difficult to > answer and depends on many details. Figuring this out would require a > careful review of OpenPGP implementations and applications using OpenPGP. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAl4rIsIACgkQgItw+93Q 3WUTUggAoE4jZDlDcoUKOsHxHqH0K64LNI30h5jhPowlm7e6xr2XwndGflBvhdMJ dlLd4H2NIw13TCUlhb0szX140ri6cUNYSqOF7o606yqx0a3J1qHRV3JHk0SbAYGR rh4nVjEShnVgsdnckxb0pzd3ca96ncbdLz285LyzeAWTZ/Nlhq9hkBjT73RWCKoB 2VCfka4Yn0LzcGn10bQL7QFCdRmqu9wBLjNV6FioFgKmDtasaI/wbIMzrGuVaTYU bbhXvnuAit/uy9ecFVZKcvjOGynCwNgvzW1Wfmxxzz0d2FJ2PO+s/eqaQPm0dByY el8+IN+C3s0O/m62PRhmrOqLy9uwmQ== =+ibv -----END PGP SIGNATURE----- --=-=-=-- From nobody Fri Jan 24 13:21:36 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 558B61200A4 for ; Fri, 24 Jan 2020 13:21:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=incenp.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OMvWpTkGIPnU for ; Fri, 24 Jan 2020 13:21:32 -0800 (PST) Received: from mail.incenp.org (mail.incenp.org [51.254.143.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ACFE120052 for ; Fri, 24 Jan 2020 13:21:32 -0800 (PST) Received: from localhost (dgouttegattat.plus.com [81.174.245.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.incenp.org (Postfix) with ESMTPSA id C515D20168; Fri, 24 Jan 2020 22:21:28 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=incenp.org; s=201912; t=1579900889; bh=AmlBJAWbF3A0Q66Jj+omMx8391qKt4fTzdBiuGdiqtw=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=AyHT5jZV9p143O3DVidJ2EKf8rQvrg/HQSUvaI6RJfxtl/IE0slH+jTdDZRJBtdZH ePArPa2JSD8NqcC+MzcR+U/f2jM54NLIiqV8cApKvSCq+4S7v1FlrJMdQsFNrSBIzC T37piHBQo5ZkKZiKREgRy8fJAIVudswjDygvcT/0= Date: Fri, 24 Jan 2020 21:21:28 +0000 From: Damien Goutte-Gattat To: Michael Richardson Cc: openpgp@ietf.org Message-ID: <20200124212128.vxqr6nq7kvdnfjkh@dynein.local.incenp.org> OpenPGP: id=4FA2082362FE73AD03B88830A8DC7067E25FBABB; url=https://incenp.org/srv/dgouttegattat.asc; preference=signencrypt References: <20200124002228.ek7bcwlbghuoborr@dynein.local.incenp.org> <24969.1579885029@localhost> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="an5kmzd6rom4r7dy" Content-Disposition: inline In-Reply-To: <24969.1579885029@localhost> Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2020 21:21:35 -0000 --an5kmzd6rom4r7dy Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 24, 2020 at 11:57:09AM -0500, Michael Richardson wrote: >I guess, maybe if the key is big enough (rsa 8K, bigger), that the=20 >bytes could be in the prime itself. Are you saying that? Yes. > If so, I wonder what the smallest key for which this is true is. The collision found by the authors used 9 near-collision blocks (4608=20 bits). They believe it would have been possible to find a collision with=20 7 near-collision blocks (3584 bits), which could fit into a 4096-bit RSA=20 key. - Damien --an5kmzd6rom4r7dy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQSAzBuNBMJi3f7hmAxvfw+R0Tj8ewUCXitfzQAKCRBvfw+R0Tj8 e0LzAQCqSve4kNQnlntYzXrKMJTrljwe/WrRLzlC+hitaTcx2gD/TclxFaAUQKhZ sCNxk4tRuDJgL5WmHsWs4PJooj8wPgU= =wNb9 -----END PGP SIGNATURE----- --an5kmzd6rom4r7dy-- From nobody Fri Jan 24 17:16:00 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4A281200E9 for ; Fri, 24 Jan 2020 17:15:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.299 X-Spam-Level: X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnMTZS0BYUW5 for ; Fri, 24 Jan 2020 17:15:56 -0800 (PST) Received: from out3.mail.ruhr-uni-bochum.de (out3.mail.ruhr-uni-bochum.de [134.147.53.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 219291200F3 for ; Fri, 24 Jan 2020 17:15:56 -0800 (PST) Received: from mx3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out3.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 484J3r35kRz8S8X; Sat, 25 Jan 2020 02:15:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1579914952; bh=0SW8l90TsthGrX1qQKPG3Km/NlJfZ3HkhnZLcHyND90=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=FqOo0DvsaInS0/KgGjuhFpNCiTpg99Opntt3dDpzRekb+BLxLqlNGKZjCazhDGBDw LifWRUJbbPO3rZfloy//lYwIj+35yHvVrqVUtinJyMwQT8SgNcBpuVnIhOU4XpyzaR SLwLczt+bxMLtSaH6XLZq4F8phCxHWEDmGljXbFU= Received: from out3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx3.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 484J3r1Z4Jz8S8H; Sat, 25 Jan 2020 02:15:52 +0100 (CET) X-Envelope-Sender: X-RUB-Notes: Internal origin=134.147.42.227 Received: from mail1.mail.ruhr-uni-bochum.de (mail1.mail.ruhr-uni-bochum.de [134.147.42.227]) by out3.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 484J3q5wBWz8S7X; Sat, 25 Jan 2020 02:15:51 +0100 (CET) Received: from [192.168.142.139] (p5DCA4A2E.dip0.t-ipconnect.de [93.202.74.46]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 484J3q1fH1zyb9; Sat, 25 Jan 2020 02:15:51 +0100 (CET) To: Michael Richardson , Damien Goutte-Gattat Cc: Kai Engert , openpgp@ietf.org References: <20200124002228.ek7bcwlbghuoborr@dynein.local.incenp.org> <24969.1579885029@localhost> From: Marcus Brinkmann Message-ID: <11771a85-231f-8a67-63e2-41b857f5d853@rub.de> Date: Sat, 25 Jan 2020 02:15:51 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.0 MIME-Version: 1.0 In-Reply-To: <24969.1579885029@localhost> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de X-Virus-Status: Clean Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jan 2020 01:15:59 -0000 Hi, On 1/24/20 5:57 PM, Michael Richardson wrote: > > Damien Goutte-Gattat wrote: > > What Marcus says the author *could* have done is to generate the two keys A > > and B in such a way that they also have the same fingerprint. They have > > not > > I'm not convinced that there are enough under-determined bytes that can be > mutated in the content that goes into making the fingerprint. > AFAIK, it's just the key. > > I guess, maybe if the key is big enough (rsa 8K, bigger), that the bytes > could be in the prime itself. Are you saying that? If so, I wonder what the > smallest key for which this is true is. The authors demonstrate a collision block within a RSA 6144 bit public key. The collision happens at the first 6056 bits of the modulus, and the remaining 88 bits are used to make a valid modulus for the public exponent, which is fixed at 2^16+1. Thanks, Marcus -- Dipl.-Math. Marcus Brinkmann Lehrstuhl für Netz- und Datensicherheit Ruhr Universität Bochum Universitätsstr. 150, Geb. ID 2/461 D-44780 Bochum Telefon: +49 (0) 234 / 32-25030 http://www.nds.rub.de/chair/people/mbrinkmann From nobody Fri Jan 24 17:21:22 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC3CE1200D8 for ; Fri, 24 Jan 2020 17:21:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TZ4zoGlgnqfY for ; Fri, 24 Jan 2020 17:21:19 -0800 (PST) Received: from out1.mail.ruhr-uni-bochum.de (out1.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:8:1001::8693:3595]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48D7F12001B for ; Fri, 24 Jan 2020 17:21:19 -0800 (PST) Received: from mx1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out1.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 484JB41fPwz8S6W; Sat, 25 Jan 2020 02:21:16 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1579915276; bh=n7ob4SEUlsVUzs/Sih4gQ2N1c3irs3GfXvFfj7mNa4A=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=sgsquKr+Ekij1bMoUfJx+NKmu9KElV8gzwh8zjAa1Cw6a83rgZs653Bbgeh9VY+Uq o/5cYOSfsF936UPBuIp2Nkig8XmspS/peISxVTyIFyRxNwi9bHIBr46wDFs+AM1k6E win8RfQPb6aALmukcqhq9wqFWf03Gu2BJZGH8ABA= Received: from out1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx1.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 484JB40BRqz8S5l; Sat, 25 Jan 2020 02:21:16 +0100 (CET) X-Envelope-Sender: X-RUB-Notes: Internal origin=IPv6:2a05:3e00:c:1001:5054:ff:fe37:b9e4 Received: from mail1.mail.ruhr-uni-bochum.de (mail1.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001:5054:ff:fe37:b9e4]) by out1.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 484JB33FHkz8S4M; Sat, 25 Jan 2020 02:21:14 +0100 (CET) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.102.1 at mx1.mail.ruhr-uni-bochum.de Received: from [192.168.142.139] (p5DCA4A2E.dip0.t-ipconnect.de [93.202.74.46]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 484JB14GJpzyXl; Sat, 25 Jan 2020 02:21:13 +0100 (CET) To: Michael Richardson Cc: IETF OpenPGP References: <602eeb15-fccf-fe61-7b28-7dea35d3af15@rub.de> <25922.1579885251@localhost> From: Marcus Brinkmann Message-ID: <72069ecf-e309-ee4d-8206-705273c64640@rub.de> Date: Sat, 25 Jan 2020 02:21:14 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.0 MIME-Version: 1.0 In-Reply-To: <25922.1579885251@localhost> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de X-Virus-Status: Clean Archived-At: Subject: Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jan 2020 01:21:22 -0000 Hi, On 1/24/20 6:00 PM, Michael Richardson wrote: > > Marcus Brinkmann wrote: > >> Does this mean, comparing a 20 bytes (40 hex digits) fingerprint, as > >> printed by e.g. GnuPG 2.2.x, is no longer a reliable way to verify you > >> have obtained the correct key? > > > The answer to this would formally be "yes", because after creating two > > such keys, the attacker could first show you one key, and, later on show > > you the other key and if the only thing you remember about the first key > > is the fingerprint, you have no way to notice the swap. > > Would the attacker have to control the private keys of both generated keys to > accomplish this? I don't entirely see why. As the collision I am thinking of happens in the modulus MPI, the attacker would control the modulus and thus the private exponent (public exponent fixed at 2^16+1). > Clearly the signatures generated by the two keys (with identical > fingerprints) would also be different (assume that the signatures were > calculated on a SHA256 hash, to remove an attack from that side). Yes. Any signatures made by these keys would be different. Thanks, Marcus -- Dipl.-Math. Marcus Brinkmann Lehrstuhl für Netz- und Datensicherheit Ruhr Universität Bochum Universitätsstr. 150, Geb. ID 2/461 D-44780 Bochum Telefon: +49 (0) 234 / 32-25030 http://www.nds.rub.de/chair/people/mbrinkmann