SHA1 collisions proven possisble
Patrick W. Gilmore
patrick at ianai.net
Mon Feb 27 06:15:28 UTC 2017
Composed on a virtual keyboard, please forgive typos.
On Feb 26, 2017, at 21:16, Matt Palmer <mpalmer at hezmatt.org> wrote:
>> On Sun, Feb 26, 2017 at 05:41:47PM -0600, Brett Frankenberger wrote:
>>> On Sun, Feb 26, 2017 at 12:18:48PM -0500, Patrick W. Gilmore wrote:
>>> I repeat something I've said a couple times in this thread: If I can
>>> somehow create two docs with the same hash, and somehow con someone
>>> into using one of them, chances are there are bigger problems than a
>>> SHA1 hash collision.
>>> If you assume I could somehow get Verisign to use a cert I created to
>>> match another cert with the same hash, why in the hell would that
>>> matter? I HAVE THE ONE VERISIGN IS USING. Game over.
>>> Valdis came up with a possible use of such documents. While I do not
>>> think there is zero utility in those instances, they are pretty small
>>> vectors compared to, say, having a root cert at a major CA.
>> I want a google.com cert. I ask a CA to sign my fake google.com
>> certificate. They decline, because I can't prove I control google.com.
> Even better: I want a CA cert. I convince a CA to issue me a regular,
> end-entity cert for `example.com` (which I control) in such a way that I can
> generate another cert with the same SHA1 hash, but which has `CA:TRUE` for
> the Basic Constraints extension.
> Wham! I can now generate certs for *EVERYONE*. At least until someone
> notices and takes away my shiny new toy...
Since I have said this somewhere on the order of half a dozen times, I will assume I am missing something obvious and all of you are doing it right.
So let me ask you: The attack creates two docs. You do not know the hash before the attack starts. You cannot take an existing file with a known hash and create a second file which matches the known hash. You start with nothing, run the "attack", and get two NEW docs that have the same hash. A hash which is brand new.
Now, please explain how you take a cert with one hash and somehow use this attack, which creates two new docs with a new hash, to do, well, anything?
In the example above, the CA knows the SHA-1 hash of the cert it issued. (We are assuming there is a CA which still does SHA-1.) How do you get that CA to believe the two OTHER certs with DIFFERENT hashes you have to create so you can have two docs with the same hash?
More information about the NANOG