ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures

2020-01-23 16:57:02
from [Kai Engert] [Permanent Link] 
On 22.01.20 15:31, Marcus Brinkmann wrote:

* The authors could have easily created colliding public keys with
identical (160 bit SHA-1) fingerprints, at the cost of 45k USD.
Although I don't know about any attack made possible by owning such a
pair of keys, the pure existence of a fingerprint collision could cause
problems in some appliations, triggering potential bugs in code that
assumes fingerprints can never be identical.
Does this mean, anyone can create a key pair that has the same fingerprint as I have on my business card, by spending that amount of money?
Does this mean, comparing a 20 bytes (40 hex digits) fingerprint, as printed by e.g. GnuPG 2.2.x, is no longer a reliable way to verify you have obtained the correct key? 

Thanks
Kai

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures, Marcus Brinkmann
Next by Date:  Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures, vedaal
Previous by Thread:  Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures, Marcus Brinkmann
Next by Thread:  Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures, vedaal
Indexes:  [Date] [Thread] [Top] [All Lists]