Re: SHA-1 broken


* Jon Callas wrote:

A key fingerprint is little more than a hash of the key material, the 
creation time, and a few constants. There's very little place in there 
to manufacture a collision. Fingerprints need little more than 
one-way-ness.


IBTD, sorry.

The recent attack allows to construct two "random" messages differing in
some (few) bits generating the same hash.

So a possible attack might be to generate such a collision and search one of
the messages in existing key material from the key servers. If some key was
found containing one of those sequences, it can be replaced by a different
key by changing those few bits.

This manipulation does not change the fingerprint and might not change the
key signature nor the user certificates, so the modified key is a drop in
replacement for the old one.

The main advantage for the attacker is, that the modified key might be easily
factorised. Very likely. So the attacker can mount a MITM attack using the
web of trust to hide it.

Bad news.

<Prev in Thread]	Current Thread	[Next in Thread>
Re: SHA-1 broken, (continued) Re: SHA-1 broken, David Shaw Re: SHA-1 broken, Werner Koch Re: SHA-1 broken, Ian G Re: SHA-1 broken, David Shaw Re: SHA-1 broken, Konrad Rosenbaum Re: SHA-1 broken, Konrad Rosenbaum Re: SHA-1 broken, Vlad \"SATtva\" Miller Re: SHA-1 broken, aboietf Re: SHA-1 broken, Ian G Re: SHA-1 broken, Jon Callas Re: SHA-1 broken, Lutz Donnerhacke <= Re: SHA-1 broken, Jon Callas Re: SHA-1 broken, Werner Koch The oracle weakness and the art of disclosure, Ian G Re: SHA-1 broken, Konrad Rosenbaum Re: SHA-1 broken, aboietf Re: SHA-1 broken, Werner Koch Re: SHA-1 broken, "Hal Finney" Re: SHA-1 broken, Werner Koch Re: SHA-1 broken, Ingo Luetkebohle Re: SHA-1 broken, Ian G

Previous by Date:	Re: Hash Collision Shield (subpacket def), Rick van Rein
Next by Date:	Re: SHA-1 broken, Werner Koch
Previous by Thread:	Re: SHA-1 broken, Jon Callas
Next by Thread:	Re: SHA-1 broken, Jon Callas
Indexes:	[Date] [Thread] [Top] [All Lists]