[tahoe-dev] SHA-1 broken! (was: Request for hash-dependency in Tahoe security.)
Ray Dillinger
bear at sonic.net
Fri May 1 20:29:29 EDT 2009
On Thu, 2009-04-30 at 13:56 +0200, Eugen Leitl wrote:
> > http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> Wow! These slides say that they discovered a way to find collisions
> in SHA-1 at a cost of only 2^52 computations. If this turns out to
> be right (and the authors are respected cryptographers -- the kind of
> people who really hate to be wrong about something like this) then it
> is very exciting!
I cannot derive a realistic threat model from the very general
statements in the slides.
In the case of, for example, the Debian organization, which uses SHA-1
keys to check in code so that it's always clear with a distributed
network of developers who made what changes, What threats must they
now guard against and what corrective measures ought they take?
Can a third-party attacker now forge someone's signature and check in
code containing a backdoor under someone else's key? Such code could
be loaded on a "poisoned" server, downloaded, and executed on millions
of target machines with devastating effect and no way to catch the
attacker.
Can a rogue developer now construct a valid code vector B, having
the same signature as some of his own (other) code A, thus bypassing
the signature check and inserting a backdoor? The scenario is the
same with a "poisoned" server but, once detected, the attacker would
be identifiable.
Is it the case that a constructed hash collision between A and B
can be done by a third party but would be highly unlikely to contain
any executable or sensible code at all? In this case the threat
is serious, but mainly limited to vandalism rather than exploits.
Is it the case that a constructed hash collision between A and B
can only be done by the developer of both A and B, but would be
highly unlikely to contain any executable or sensible code at all?
In this case the threat is very minor, because the identity of the
"vandal" would be instantly apparent.
Bear
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list