[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: RE: SHA1 collision found



FYI

-------- Forwarded Message --------
Subject: RE: SHA1 collision found
Date: Thu, 23 Feb 2017 15:00:05 -0500
From: Robert J. Hansen <rjh AT sixdemonbag.org>
To: gnupg-users AT gnupg.org

(I originally sent this off-list by mistake.  Peter was kind enough to
respond off-list and to suggest we take it back on-list.  This email is
a distillation of three different emails: my original, Peter's response,
and a response to Peter.)

=====

> I already answered that here[1]. The use of SHA-1 in fingerprints is 
> not susceptible to a collision attack, so it's still safe. SHA-1 in 
> fingerprints is only susceptible to a second-preimage attack which is 
> much harder than a collision attack and unheard of for SHA-1.

To which I said, "Create two keys with the same fingerprint.  Sign a
contract with one, then renege on the deal.  When you get called into
court, say "I never signed that, Your Honor!" and present the second
key.  This collision pretty much shatters the nonrepudiability of SHA-1
signatures."

To which Peter quite reasonably answered that the other person has a
copy of the public key which was used to sign the document originally.
Why should the fraudster's denial be believed?

The answer is that to enforce a contract (at least here in the United
States) you must be able to prove, based on a preponderance of the
evidence, that the other person entered into a contract with you.  So
imagine this conversation:

PLAINTIFF: "Your Honor, the defendant reneged on a $10,000 contract.
Make him pay up."
DEFENDANT: "I never signed anything, Your Honor."
PLAINTIFF: "I have his key, it's right here."
DEFENDANT: "That's not my key.  This is my key."
PLAINTIFF: "Of course that's what he claims!  They have the same SHA-1
fingerprint!  He did that in order to deny his signature!"
JUDGE: "So these keys are uniquely identified by the fingerprint?"
(both parties agree)
JUDGE: "And you have two keys that are identified by the same fingerprint?"
(both parties agree)
JUDGE: "And there's no way to tell which key is real?"
(both parties agree)
JUDGE: "Then we're stuck.  There's no reason to prefer one key over
another.  Plaintiff, you have failed your burden of proof in
establishing the defendant signed the contract."

Now, you could establish proof some other way: let's say you made a
videotape of the defendant signing the document.  If you could introduce
other supporting evidence (which might include other signatures on keys)
you might be able to convince the judge the signature is enforceable.
But there's nothing intrinsic to the signature itself which could
convince the judge.

So Peter is completely right to say "but there's no reason to believe
one person over the other."  Completely, absolutely right.  But the
person asking the court to enforce a contract must present a reason to
believe them over the defendant.

I hope this clarifies my answer!

(Peter also rightly remarked that he thought nonrepudiability in OpenPGP
was kind of iffy anyway.  He and I are in complete agreement on this.
OpenPGP has always had very iffy nonrepudiability.  With this SHA-1
attack, I feel the threshold has been crossed and we need to consider it
repudiable.)



_______________________________________________
Gnupg-users mailing list
Gnupg-users AT gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users