[Cryptography] Just in case it isn't obvious...

Ron Garret ron at flownet.com
Fri Feb 24 20:27:52 EST 2017


I am going to make a rather obvious observation about the recent SHA1 collision, but I thought it would be worthwhile making it just in case there were people lurking on this list for whom it is not obvious.

Notwithstanding that there is a site that lets you generate “arbitrary” SHA1 collisions (https://alf.nu/SHA1) there is really only one SHA1 collision currently known.  It consists of a pair of sequences of exactly 320 bytes.  They look like this:

➔ hexdump s1
0000000: 2550 4446 2d31 2e33 0a25 e2e3 cfd3 0a0a  %PDF-1.3.%......
0000010: 0a31 2030 206f 626a 0a3c 3c2f 5769 6474  .1 0 obj.<</Widt
0000020: 6820 3220 3020 522f 4865 6967 6874 2033  h 2 0 R/Height 3
0000030: 2030 2052 2f54 7970 6520 3420 3020 522f   0 R/Type 4 0 R/
0000040: 5375 6274 7970 6520 3520 3020 522f 4669  Subtype 5 0 R/Fi
0000050: 6c74 6572 2036 2030 2052 2f43 6f6c 6f72  lter 6 0 R/Color
0000060: 5370 6163 6520 3720 3020 522f 4c65 6e67  Space 7 0 R/Leng
0000070: 7468 2038 2030 2052 2f42 6974 7350 6572  th 8 0 R/BitsPer
0000080: 436f 6d70 6f6e 656e 7420 383e 3e0a 7374  Component 8>>.st
0000090: 7265 616d 0aff d8ff fe00 2453 4841 2d31  ream......$SHA-1
00000a0: 2069 7320 6465 6164 2121 2121 2185 2fec   is dead!!!!!./.
00000b0: 0923 3975 9c39 b1a1 c63c 4c97 e1ff fe01  .#9u.9...<L.....
00000c0: 7346 dc91 66b6 7e11 8f02 9ab6 21b2 560f  sF..f.~.....!.V.
00000d0: f9ca 67cc a8c7 f85b a84c 7903 0c2b 3de2  ..g....[.Ly..+=.
00000e0: 18f8 6db3 a909 01d5 df45 c14f 26fe dfb3  ..m......E.O&...
00000f0: dc38 e96a c22f e7bd 728f 0e45 bce0 46d2  .8.j./..r..E..F.
0000100: 3c57 0feb 1413 98bb 552e f5a0 a82b e331  <W......U....+.1
0000110: fea4 8037 b8b5 d71f 0e33 2edf 93ac 3500  ...7.....3....5.
0000120: eb4d dc0d ecc1 a864 790c 782c 7621 5660  .M.....dy.x,v!V`
0000130: dd30 9791 d06b d0af 3f98 cda4 bc46 29b1  .0...k..?....F).

➔ hexdump s2
0000000: 2550 4446 2d31 2e33 0a25 e2e3 cfd3 0a0a  %PDF-1.3.%......
0000010: 0a31 2030 206f 626a 0a3c 3c2f 5769 6474  .1 0 obj.<</Widt
0000020: 6820 3220 3020 522f 4865 6967 6874 2033  h 2 0 R/Height 3
0000030: 2030 2052 2f54 7970 6520 3420 3020 522f   0 R/Type 4 0 R/
0000040: 5375 6274 7970 6520 3520 3020 522f 4669  Subtype 5 0 R/Fi
0000050: 6c74 6572 2036 2030 2052 2f43 6f6c 6f72  lter 6 0 R/Color
0000060: 5370 6163 6520 3720 3020 522f 4c65 6e67  Space 7 0 R/Leng
0000070: 7468 2038 2030 2052 2f42 6974 7350 6572  th 8 0 R/BitsPer
0000080: 436f 6d70 6f6e 656e 7420 383e 3e0a 7374  Component 8>>.st
0000090: 7265 616d 0aff d8ff fe00 2453 4841 2d31  ream......$SHA-1
00000a0: 2069 7320 6465 6164 2121 2121 2185 2fec   is dead!!!!!./.
00000b0: 0923 3975 9c39 b1a1 c63c 4c97 e1ff fe01  .#9u.9...<L.....
00000c0: 7f46 dc93 a6b6 7e01 3b02 9aaa 1db2 560b  .F....~.;.....V.
00000d0: 45ca 67d6 88c7 f84b 8c4c 791f e02b 3df6  E.g....K.Ly..+=.
00000e0: 14f8 6db1 6909 01c5 6b45 c153 0afe dfb7  ..m.i...kE.S....
00000f0: 6038 e972 722f e7ad 728f 0e49 04e0 46c2  `8.rr/..r..I..F.
0000100: 3057 0fe9 d413 98ab e12e f5bc 942b e335  0W...........+.5
0000110: 42a4 802d 98b5 d70f 2a33 2ec3 7fac 3514  B..-....*3....5.
0000120: e74d dc0f 2cc1 a874 cd0c 7830 5a21 5664  .M..,..t..x0Z!Vd
0000130: 6130 9789 606b d0bf 3f98 cda8 0446 29a1  a0..`k..?....F).

➔ shasum s1
f92d74e3874587aaf443d1db961d4e26dde13e9c  s1

➔ shasum s2
f92d74e3874587aaf443d1db961d4e26dde13e9c  s2

You can append any data you like at the end of these sequences and the result will be a “new” collision.  The fact that this colliding “prefix” happens to look like the beginning of a PDF file lets you make arbitrary colliding PDF files, but not arbitrary colliding files of any other kind.  And even the PDFs are not really arbitrary.  In order to be “interesting” (i.e. to look different when they are rendered) they must have content formatted in a very particular way.  Google did the deliberately to make the announcement more dramatic, but it’s really just a stunt.  They could just as well have generated a collision that looked like meaningless data.  This is how the first MD5 collision was generated (http://www.mscs.dal.ca/~selinger/md5collision/).  But of course that does not have the same emotional impact.

So the actual threat here at the moment is not very big.  This collision is the canary in the coal mine.  The canary has died.  The air is still breathable for the time being, but it’s probably a good idea to start making your way to the emergency exits (SHA512, SHA3, Blake) in an orderly fashion.  The MD5 collision link above includes a program that lets you generate *arbitrary* MD5 collisions on a laptop in a couple of hours.  It is only a matter of time before that is possible for SHA1.

There is one immediate threat: colliding files can screw up SCM repositories.  This has already happened in one prominent case:

https://arstechnica.com/security/2017/02/watershed-sha1-collision-just-broke-the-webkit-repository-others-may-follow/

There is an easy short-term mitigation for this: before computing the hash of any object longer than 319 bytes, compute the hash of the first 320 bytes and check if it is f92d74e3874587aaf443d1db961d4e26dde13e9c .  If it is, throw an error.  But of course that will only work until the next SHA1 collision is found.

rg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170224/c4931a89/attachment.html>


More information about the cryptography mailing list