[Cryptography] SHA-1 collision could also allow ePassport forgery

Jerry Leichter leichter at lrw.com
Mon Feb 27 13:22:44 EST 2017


> Some countries (and not the smallest ones) still used RSA-SHA1 signatures for their document signing certificates as late as 2010.
> 
> As passports and those certificates are usually valid 10 years this means that if they are not revoked it is possible until 2020 to create forged passports capable of passing automated security gates....
The current attack does not permit creating forgeries of pre-existing documents.  It allows one to create pairs that have the same hash - but you create the *pair*, not a new document to match an existing one.

That's *right now* this is not a direct threat.  That's not to say a more powerful attack might not come along before 2020....
                                                        -- Jerry



More information about the cryptography mailing list