Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures

Hi,

On 1/22/20 10:18 PM, Florian Weimer wrote:
> * Marcus Brinkmann:
>
> > * Do not sign photo ids.  In fact, photo ids are problematic in many
> > other ways and should be deprecated and not be used anymore. Support for
> > user attribute packets should be dropped from the standard.
> I expect that a similar attack would work involving non-critical
> hashed subpackets in the private area.  They should provide enough
> wiggle room.
You certainly can use hashed subpackets to get a collision, although the
attacker would then need to control the content of such a subpacket
during signing (which is not required by the setup in the paper).

I have to add another point to the list of observations.  From the
paper: "We point out that the chosen-prefix collision is computed before
choosing the UserIDs and images that will be used in the attack.
Therefore, a single CPC can be reused to attack many different victims"

Recommendation: It would be prudent for implementers to blacklist public
keys starting with the same bits as the published colliding key for bob
under https://sha-mbles.github.io/bob.asc.

The author also describe an attack variant where the collision is made
within the jpg, but this requires computing a new collision for each
individual attack.  They suspect that more variants are possible.

Thanks,
Marcus

-- 
Dipl.-Math. Marcus Brinkmann

Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum

Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann

0x88B08D5A57B62140.asc
Description: application/pgp-keys

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp