Re: [pkix] Off topic: Preimage attack on SHA-1
Jorge López <jlopez.ha@gmail.com> Wed, 14 March 2012 08:19 UTC
Return-Path: <jlopez.ha@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBE6B21F86D7 for <pkix@ietfa.amsl.com>; Wed, 14 Mar 2012 01:19:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.209
X-Spam-Level:
X-Spam-Status: No, score=-1.209 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, HTML_MESSAGE=0.001, J_CHICKENPOX_41=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pnKR+MzHk41M for <pkix@ietfa.amsl.com>; Wed, 14 Mar 2012 01:19:47 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0EB8321F86CB for <pkix@ietf.org>; Wed, 14 Mar 2012 01:19:46 -0700 (PDT)
Received: by ggmi1 with SMTP id i1so1721619ggm.31 for <pkix@ietf.org>; Wed, 14 Mar 2012 01:19:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nur6TnYryUiuPayPkYoNvdIVypAPfRZL78QdnKp8ZmA=; b=O4GB2NpQHnNrDINkAnAh4Ut5fA+te1xmLzjvG8QzmJfEYPJOG8ATWNQ6IxxaF7yl0f paZ7eZJ2+lySIVyNx+DwWu4fzLXBv9z++eU86iDWrhuDDEigPvJYCVrm995qnsYHYN44 G0eNlNv5bq8qZuXF8+OkstZ3ZA6hCQa3RaRKJcDbI+cAtqWzT0MBHlSewzuXd8apl902 M4V3JF0hB2ZhTMzRRdEslSH2kH+0H55xCKAyoKL/qox4H+rE8uEBhTNCHxwEwocpO9vG ixNsLw53uyYRznzeMZvQ/JTlOlpq/eTvknU4EQlxMaY8naARpJeaMHAWbXt+DjDH+Ggi 86Kw==
MIME-Version: 1.0
Received: by 10.101.128.23 with SMTP id f23mr608813ann.9.1331713186398; Wed, 14 Mar 2012 01:19:46 -0700 (PDT)
Received: by 10.100.59.9 with HTTP; Wed, 14 Mar 2012 01:19:46 -0700 (PDT)
In-Reply-To: <CB641416.10D3%tmiller@mitre.org>
References: <4F3D8AEB.1060408@lockstep.com.au> <CB641416.10D3%tmiller@mitre.org>
Date: Wed, 14 Mar 2012 09:19:46 +0100
Message-ID: <CAHt+fwuWTuNDzpvrf28MP10HMZKhpvFmbBtRRRh_hJ3ZmAMFew@mail.gmail.com>
From: Jorge López <jlopez.ha@gmail.com>
To: "Miller, Timothy J." <tmiller@mitre.org>
Content-Type: multipart/alternative; boundary="001636c597ef6b012004bb2fa332"
Cc: pkix <pkix@ietf.org>
Subject: Re: [pkix] Off topic: Preimage attack on SHA-1
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2012 08:19:50 -0000
Hi, Just one remark: As Dan mentioned, collision attacks (find 2 messages such that their hashes coincide) are of higher concern than pre-image (having a hash h find a message M / hash(M) = h) and second pre-image attacks (having a message M find a second message M' / hash(M) = hash(M'), but the algorithmic complexity of the former (collision attacks) is not half of the latter, but much lower. Particularly, it is 2^(n/2), n being the length of the hash, while for pre-image and second pre-image attacks is 2^n. There is an exponential difference, not linear. Having said that, there are theoretical attacks that reduce the complexity needed to find a collision that are below brute force. I say theoretical because though they are below 2^64 for SHA-1 they are still impractical. As far as I now, in 2010 Marc Stevens implemented a differential path attack against SHA-1 with a complexity of about 2^57. I am not very updated on this topic, so maybe there have been some contributions to the field in the last year that have gone even beyond that. Best, Jorge. 2012/2/17 Miller, Timothy J. <tmiller@mitre.org> > Arjen Lenstra and Benne de Weger's work with MD5 may be of interest to > you. Not a preimage attack, but the method of integrating a collision > into X.509 may be relevant. > > http://www.win.tue.nl/~bdeweger/CollidingCertificates/ > > -- T > > On 2/16/12 5:02 PM, "Stephen Wilson" <swilson@lockstep.com.au> wrote: > > > > > > > > > > > Many thanks Dan for this and the subsequent clarification. > > > > Can I ask a silly question: I've assumed that in preimage attacks > > [where synthetic data A' is computed so that Hash(A') == Hash(A) > > original data A] it is not necessary for A and A' to have the same > > bit length. I am guessing that computing A' is a whole lot easier > > if you can make it as long as you like. > > > > Now, you ponder "how much flexibility there is in the X.509 format" > > and I it's fair to say there is a lot. You can add totally custom > > fields to a certificate and in general, most X.509 parsers will skip > > over them. > > > > So here's a thought. If A' can be longer than A, then a preimage > > attacker could add a nonsense field to the SHA1+RSA profile of > > interest, and populate that extra field with whatever data is needed > > to 'compensate' for tampering with data in the original body of the > > certificate (say the public key value). The nonsense field might be > > arbitrarily long and still escape the notice of the applications > > consuming the certificates. > > > > Cheers, > > > > Steve Wilson. > > > > > > > > On 17/02/2012 8:16 AM, Dan Brown wrote: > > > > > > > > > > > > > > Hi > > Stephen, > > > > Regarding > > your supplementary question: > > > > > > 1) > > You¹re > > right that the pre-image would need to meet the X.509 > > ToBeSigend format, so it would depend on the nature of the > > pre-image attack. Any pre-image attack on SHA-1 would > > require about 160 bits of flexibility in the pre-image > > format (i.e. to have a large enough target pre-image space > > to ensure that pre-images of the hash value to be inverted > > exists). I¹m not sure how much flexibility there is in the > > X.509 format, but I think the serial number could support a > > sequence of freely chosen bits, which may be a simple enough > > formatting restriction to accommodate some pre-image > > attacks. (Although the resulting serial number may be larger > > than usual, so could be viewed as suspicious.) The public > > exponent in an RSA key could support 160 bits, but the > > result would look suspicious. The subject name has a large > > amount of flexibility, but it seems especially unlikely that > > an actual faster-than-generic pre-image attack have the > > needed control in the pre-image. > > > > 2) > > The > > answer also depends the vulnerability of the signature > > algorithm to hash pre-image attacks. The algorithms DSA and > > ECDSA admit existential forgery using a hash pre-image > > finder, and so does RSA-PSS as specified in PKCS#1 version > > 2.1 (but as far as I can tell not RSA-PSS as originally > > propose by Bellare and Rogaway). I don¹t see how a hash > > pre-image finder suffices to forge an RSA-PKCS1-v1.5 > > signature. > > > > 3) > > Under > > generic attacks, a hash functions¹s pre-image resistance has > > about the twice the security level of the collision > > resistance (exhaustive search vs. birthday). Typically, the > > public key is chosen to have a security level half that of > > the pre-image resistance of hash. So, normally hash > > pre-image attacks are not a concern for signatures, unless > > they are very drastic improvements over exhaustive search. > > > > > > Best > > regards, > > > > > > > > > > > > > > Daniel > > Brown > > > > > > > > > > Research > > In Motion Limited > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: > > pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] > > On Behalf Of Stephen Wilson > > Sent: Thursday, February 09, 2012 2:44 PM > > To: pkix > > Subject: [pkix] Off topic: Preimage attack on > > SHA-1 > > > > > > > > > > Colleagues, > > > > Trying the PKIX > > list for its cryptographic expertise, I hope you don't > > mind: > > > > > > Is anyone aware > > of a demonstrated preimage attack (or demonstrated > > feasibility of a practical preimage attack) on SHA-1? > > Is it still the case, as it was when RFC4270 was > > published in 2005, that there is only the possibility > > of Collision attack? > > > > Supplementary > > question: Does anyone think a preimage attack on the > > signature of a PKC, even if mounted, would be a > > practical problem? I would have thought there would > > be so much interference with the rest of the data > > structures that the certificate would become > > unparseable. > > > > Cheers, > > > > > > > > Stephen Wilson > > Lockstep > > http://lockstep.com.au <http://www.lockstep.com.au> > > Lockstep Consulting provides independent specialist > > advice and analysis > > on digital identity and privacy. Lockstep Technologies > > develops unique > > new smart ID solutions that enhance privacy and prevent > > identity theft. > > > > > > > > > > > > > > > >--------------------------------------------------------------------- > > > > This transmission (including any attachments) may contain > > confidential information, privileged material (including material > > protected by the solicitor-client or other applicable privileges), > > or constitute non-public information. Any use of this information > > by anyone other than the intended recipient is prohibited. If you > > have received this transmission in error, please immediately reply > > to the sender and delete this information from your system. Use, > > dissemination, distribution, or reproduction of this transmission > > by unintended recipients is not authorized and may be unlawful. > > > > > > > > > >_______________________________________________ > >pkix mailing list > >pkix@ietf.org > >https://www.ietf.org/mailman/listinfo/pkix > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix >
- [pkix] Off topic: Preimage attack on SHA-1 Stephen Wilson
- Re: [pkix] Off topic: Preimage attack on SHA-1 Dan Brown
- [pkix] Off-topic clarification RE: Off topic: Pre… Dan Brown
- Re: [pkix] Off topic: Preimage attack on SHA-1 Stephen Wilson
- [pkix] Off-topic clarification RE: Off topic: Pre… Dan Brown
- Re: [pkix] Off topic: Preimage attack on SHA-1 Miller, Timothy J.
- Re: [pkix] Off topic: Preimage attack on SHA-1 Jorge López