[193836] in North American Network Operators' Group
Re: SHA1 collisions proven possisble
daemon@ATHENA.MIT.EDU (Brett Frankenberger)
Sun Feb 26 20:01:48 2017
X-Original-To: nanog@nanog.org
Date: Sun, 26 Feb 2017 17:41:47 -0600
From: Brett Frankenberger <rbf+nanog@panix.com>
To: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <06CA245F-452B-4CF9-9F21-ADACEA08C051@ianai.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
>
> I repeat something I've said a couple times in this thread: If I can
> somehow create two docs with the same hash, and somehow con someone
> into using one of them, chances are there are bigger problems than a
> SHA1 hash collision.
>
> If you assume I could somehow get Verisign to use a cert I created to
> match another cert with the same hash, why in the hell would that
> matter? I HAVE THE ONE VERISIGN IS USING. Game over.
>
> Valdis came up with a possible use of such documents. While I do not
> think there is zero utility in those instances, they are pretty small
> vectors compared to, say, having a root cert at a major CA.
I want a google.com cert. I ask a CA to sign my fake google.com
certificate. They decline, because I can't prove I control google.com.
I create a cert for mydomain.com,that hashes to the same value as my
fake google.com cret. I ask a CA to sign my mydomain.com cert. They
do, because I can prove I control mydomain.com.
Now I effectively have a signed google.com cert.
Of course, SHA1 is already deprecated for this purpose, and the
currently demonstrated attack isn't flexible enough to have much chance
at getting a colliding certificate signed. So, practically speaking,
this isn't a problem *today* (even if SHA1 were deprecated). So this
is more of a "here's the sort of thing collision attacks can be used
for" point, rather than "here's what you can do with this attack right
now" point.
-- Brett
