[193841] in North American Network Operators' Group
Re: SHA1 collisions proven possisble
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Mon Feb 27 01:15:32 2017
X-Original-To: nanog@nanog.org
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <20170227021600.GA28832@hezmatt.org>
Date: Mon, 27 Feb 2017 01:15:28 -0500
To: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Composed on a virtual keyboard, please forgive typos.=20
On Feb 26, 2017, at 21:16, Matt Palmer <mpalmer@hezmatt.org> wrote:
>> On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
>>> On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
>>> I repeat something I've said a couple times in this thread: If I can
>>> somehow create two docs with the same hash, and somehow con someone
>>> into using one of them, chances are there are bigger problems than a
>>> SHA1 hash collision.
>>>=20
>>> If you assume I could somehow get Verisign to use a cert I created to
>>> match another cert with the same hash, why in the hell would that
>>> matter? I HAVE THE ONE VERISIGN IS USING. Game over.
>>>=20
>>> Valdis came up with a possible use of such documents. While I do not
>>> think there is zero utility in those instances, they are pretty small
>>> vectors compared to, say, having a root cert at a major CA.
>>=20
>> I want a google.com cert. I ask a CA to sign my fake google.com
>> certificate. They decline, because I can't prove I control google.com.
>=20
> Even better: I want a CA cert. I convince a CA to issue me a regular,
> end-entity cert for `example.com` (which I control) in such a way that I c=
an
> generate another cert with the same SHA1 hash, but which has `CA:TRUE` for=
> the Basic Constraints extension.
>=20
> Wham! I can now generate certs for *EVERYONE*. At least until someone
> notices and takes away my shiny new toy...
Since I have said this somewhere on the order of half a dozen times, I will a=
ssume I am missing something obvious and all of you are doing it right.=20
So let me ask you: The attack creates two docs. You do not know the hash bef=
ore the attack starts. You cannot take an existing file with a known hash an=
d create a second file which matches the known hash. You start with nothing,=
run the "attack", and get two NEW docs that have the same hash. A hash whic=
h is brand new.=20
Now, please explain how you take a cert with one hash and somehow use this a=
ttack, which creates two new docs with a new hash, to do, well, anything?
In the example above, the CA knows the SHA-1 hash of the cert it issued. (We=
are assuming there is a CA which still does SHA-1.) How do you get that CA t=
o believe the two OTHER certs with DIFFERENT hashes you have to create so yo=
u can have two docs with the same hash?
--=20
TTFN,
patrick
