[tahoe-dev] SHA-1 broken! (was: Request for hash-dependency in Tahoe security.)

Ray Dillinger bear at sonic.net
Fri May 1 20:29:29 EDT 2009 

On Thu, 2009-04-30 at 13:56 +0200, Eugen Leitl wrote:

> > http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf

> Wow!  These slides say that they discovered a way to find collisions  
> in SHA-1 at a cost of only 2^52 computations.  If this turns out to  
> be right (and the authors are respected cryptographers -- the kind of  
> people who really hate to be wrong about something like this) then it  
> is very exciting! 

I cannot derive a realistic threat model from the very general
statements in the slides. 

In the case of, for example, the Debian organization, which uses SHA-1 
keys to check in code so that it's always clear with a distributed 
network of developers who made what changes, What threats must they 
now guard against and what corrective measures ought they take?

Can a third-party attacker now forge someone's signature and check in 
code containing a backdoor under someone else's key?  Such code could 
be loaded on a "poisoned" server, downloaded, and executed on millions
of target machines with devastating effect and no way to catch the 
attacker.

Can a rogue developer now construct a valid code vector B, having 
the same signature as some of his own (other) code A, thus bypassing
the signature check and inserting a backdoor?  The scenario is the 
same with a "poisoned" server but, once detected, the attacker would 
be identifiable.

Is it the case that a constructed hash collision between A and B 
can be done by a third party but would be highly unlikely to contain 
any executable or sensible code at all?  In this case the threat 
is serious, but mainly limited to vandalism rather than exploits.

Is it the case that a constructed hash collision between A and B 
can only be done by the developer of both A and B, but would be 
highly unlikely to contain any executable or sensible code at all?  
In this case the threat is very minor, because the identity of the 
"vandal" would be instantly apparent.

				Bear








---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list