Re: [openpgp] "SHA-1 is a Shambles" and forging PGP WoT signatures

Kai Engert <kaie(_at_)kuix(_dot_)de> wrote:
    >> * The authors could have easily created colliding public keys with
    >> identical (160 bit SHA-1) fingerprints, at the cost of 45k USD.
    >> Although I don't know about any attack made possible by owning such a
    >> pair of keys, the pure existence of a fingerprint collision could cause
    >> problems in some appliations, triggering potential bugs in code that
    >> assumes fingerprints can never be identical.

    > Does this mean, anyone can create a key pair that has the same 
fingerprint as
    > I have on my business card, by spending that amount of money?

I did not read that.  It could be true, but I did not conclude that.
I read that they can forge a signature from you (or me), on a key, attesting
to your email address being attached to your key.

So, they can attach a different key, with a different fingerprint, to your
email address, with a signature that appears to come from either of us.

    > Does this mean, comparing a 20 bytes (40 hex digits) fingerprint, as 
printed
    > by e.g. GnuPG 2.2.x, is no longer a reliable way to verify you have 
obtained
    > the correct key?

I don't believe that this is the case.

I don't believe that there is anything in the bytes that goes into the
fingerprint that would permit a JPEG to be inserted to provide the mutable
bytes needed.

I also want to say that constructs that use HMAC-SHA1 (IPsec, TLS) are not 
affected.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr(_at_)sandelman(_dot_)ca  http://www.sandelman.ca/        |   ruby on 
rails    [

signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp