[193780] in North American Network Operators' Group

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: SHA1 collisions proven possisble

daemon@ATHENA.MIT.EDU (valdis.kletnieks@vt.edu)
Thu Feb 23 17:54:28 2017

X-Original-To: nanog@nanog.org
From: valdis.kletnieks@vt.edu
X-Google-Original-From: Valdis.Kletnieks@vt.edu
To: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <EBD013B2-5045-46FF-8CBB-61B38EC09A36@ianai.net>
Date: Thu, 23 Feb 2017 15:57:35 -0500
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org

--==_Exmh_1487883455_2876P
Content-Type: text/plain; charset=us-ascii

On Thu, 23 Feb 2017 15:03:34 -0500, "Patrick W. Gilmore" said:

> For instance, someone cannot take Verisign’s root cert and create a cert
> which collides on SHA-1. Or at least we do not think they can. We’ll know in 90
> days when Google releases the code.

From the announce:

"It is now practically possible to craft two colliding PDF files and obtain a
SHA-1 digital signature on the first PDF file which can also be abused as a
valid signature on the second PDF file."

So they're able to craft two objects that collide to the same unpredictable
hash, but *not* produce an object that collides to a pre-specified hash.

--==_Exmh_1487883455_2876P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Comment: Exmh version 2.5 07/13/2001

iQEVAwUBWK9Mv40DS38y7CIcAQL1Bwf/b6HFJYyhWfhaeyo6bFgBoM17XqfVR4J5
l7S2Fh9I7OqJrOhFfxEy1CCEk8pWetzrcFqCaqxKOSgoOQ4vzYAymTexs47DoyJw
9lajU626hso5yrml2KLOJWhUEAYw72tlv+fxC9KQBZNPZxVB266r2GrZmm2AyGmE
BRRbOvK/T7XwevUnvmP1S3grbik+auUbXT8sYFpOxY6rvuNgEJEgqzKOHinarISG
Rh4V8N/NM7HFOIcphVLly0VwAisoXr+V3LCNpNoWb7646jQe4DvXdKSZc/bI1v+i
/NXthMcRpNU1sF5pNrzhSZjyupGpziZcKGaduIhKqIZoNlTm3u2JDg==
=i/CG
-----END PGP SIGNATURE-----

--==_Exmh_1487883455_2876P--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post