SHA1 collisions proven possisble

Patrick W. Gilmore patrick at
Fri Feb 24 02:16:12 UTC 2017

On Feb 23, 2017, at 9:08 PM, valdis.kletnieks at wrote:
> On Thu, 23 Feb 2017 20:56:28 -0500, "Patrick W. Gilmore" said:
>> According to the blog post, you can create two documents which have the same
>> hash, but you do not know what that hash is until the algorithm finishes. You
>> cannot create a document which matches a pre-existing hash, i.e. the one in the
>> signed doc.
> You missed the point.  I generate *TWO* documents, with different terms but the
> same hash. I don't care if it matches anything else's hash, as long as these two
> documents have the same hash.  I get you to sign the hash on the *ONE* document I present to you
> that is favorable to you.  I then take your signature and transfer it to the
> *OTHER* document.
> No, I can't create a collision to a document you produced, or do anything to a
> document you already signed. But if I'm allowed to take it and make "minor
> formatting changes", or if I can just make sure I have the last turn in the
> back-and-forth negotiating... because the problem is if I can get you to sign a
> plaintext of my choosing….

I did miss the point. Thanks for setting me straight.

A couple things will make this slightly less useful for the attacker:
	1) How many people are not going to keep a copy? Once both docs are be
	   found to have the same hash, well, game over.

	2) The headers will be very strange indeed. The way this works is
	   Google twiddled with the headers to make them look the same. That
	   is probably pretty obvious if you look for it.

Oh, and third: Everyone should stop using SHA-1 anyway. :-)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the NANOG mailing list