Hi,
On 1/23/20 11:56 PM, Kai Engert wrote:
On 22.01.20 15:31, Marcus Brinkmann wrote:
* The authors could have easily created colliding public keys with
identical (160 bit SHA-1) fingerprints, at the cost of 45k USD.
Although I don't know about any attack made possible by owning such a
pair of keys, the pure existence of a fingerprint collision could cause
problems in some appliations, triggering potential bugs in code that
assumes fingerprints can never be identical.
Does this mean, anyone can create a key pair that has the same
fingerprint as I have on my business card, by spending that amount of
money?
No. That is something that we would call a "second pre-image attack" on
your fingerprint. The collision attacks described in the paper generate
two colliding files from scratch. So, the attacker could come up with
two entirely new keys that have identical fingerprints. As I said, I
don't know any attack that would be enabled by such two keys, but it is
concerning, because software might not be prepared for that to happen.
Pre-image attacks are much harder than collision attacks (which are
easier due to the "birthday paradox"). However, it is not good practice
to hold on to a cryptographic hash function for a long time just because
one narrow particular application of it has not been demonstrated
publicy to be broken in practice yet. We pretty much know the
progression in which hash function attacks improve, and interest in
researching an obsolete hash function decreases pretty rapidly. I'm
glad the authors spent the time and money to demonstrate their optimized
attacks on SHA-1, but such expenses will be increasingly hard to justify.
Does this mean, comparing a 20 bytes (40 hex digits) fingerprint, as
printed by e.g. GnuPG 2.2.x, is no longer a reliable way to verify you
have obtained the correct key?
The answer to this would formally be "yes", because after creating two
such keys, the attacker could first show you one key, and, later on show
you the other key and if the only thing you remember about the first key
is the fingerprint, you have no way to notice the swap.
The question if this is an actual problem (i.e.: violates a security
goal that the user is actually interested in) is more difficult to
answer and depends on many details. Figuring this out would require a
careful review of OpenPGP implementations and applications using OpenPGP.
Thanks,
Marcus
--
Dipl.-Math. Marcus Brinkmann
Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum
Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp