[Cryptography] TPM and SHA-1

Perry E. Metzger perry at piermont.com
Fri Mar 3 09:23:14 EST 2017


On Thu, 2 Mar 2017 00:28:33 +0000 Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Perry E. Metzger <perry at piermont.com> writes:
> 
> >TPM 1.2 specified SHA-1, but I noted in some documentation that
> >TPM 2.0 seems to still have SHA-1 in addition to SHA-256 as an
> >accepted algorithm. Is this the case? Does this mean that breaks
> >to SHA-1 potentially can be used against TPM 2.0 as well?  
> 
> You're asking the wrong question.  It's not "will a SHA-1 break
> affect TPM 2.0" it's "will the current break affect TPM version
> anything?" (no), and "will a more standard collision attack affect
> TPM version anything?", which is a bit more complex.  The most
> common use of TPMs is just key storage (Bitlocker etc), for which
> SHA-1 problems are irrelevant.  Then there's attestation, which
> is... how lost in the noise floor is usage of that?

I don't know how far down in the noise floor it is. I'm curious about
whether it breaks anything, regardless.

> I'm assuming someone must be using it for something, but is it used
> anywhere where it's worth attacking?

No idea, but I've heard people talking about and presenting papers on
TPM even in the last year, so I remain curious.

> And given the way SHA-1 is used for attestation, is there a feasible
> attack?

Again, that's why I asked. :)


Perry
-- 
Perry E. Metzger		perry at piermont.com


More information about the cryptography mailing list