Fwd: [friam] Fwd: [Cryptography] Practical SHA-1 collisions
16 views
Skip to first unread message
Mark S. Miller
Feb 24, 2017, 1:44:59 AM2/24/17
to e-l...@googlegroups.com, cap-...@googlegroups.com, Bill Frantz
Bill writes "Note that E's VatTP uses SHA1."
VatTP, and therefore its use by CapTP and distributed-E, should no longer be considered secure.
---------- Forwarded message ----------
From: Bill Frantz <fra...@pwpconsult.com>
Date: Thu, Feb 23, 2017 at 8:57 PM
Subject: [friam] Fwd: [Cryptography] Practical SHA-1 collisions
To: Design <fr...@googlegroups.com>
====== Forwarded Message ======
Date: 2/23/17 8:52 AM
Received: 2/23/17 8:53 AM -0500
From: pe...@piermont.com (Perry E. Metzger)
To: crypto...@metzdowd.com
Quoting: "It is now practically possible to craft two colliding PDF
files and obtain a SHA-1 digital signature on the first PDF file which
can also be abused as a valid signature on the second PDF file."
http://shattered.io
Perry
====== End Forwarded Message ======
Note that E's VatTP uses SHA1.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Re: Hardware Management Modes: | Periwinkle
(408)356-8506 | If there's a mode, there's a | 16345 Englewood Ave
www.pwpconsult.com | failure mode. - Jerry Leichter | Los Gatos, CA 95032
--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+unsubscribe@googlegroups.com.
To post to this group, send email to fr...@googlegroups.com.
Visit this group at https://groups.google.com/group/friam.
For more options, visit https://groups.google.com/d/optout.
From: Bill Frantz <fra...@pwpconsult.com>
Date: Thu, Feb 23, 2017 at 8:57 PM
Subject: [friam] Fwd: [Cryptography] Practical SHA-1 collisions
To: Design <fr...@googlegroups.com>
====== Forwarded Message ======
Date: 2/23/17 8:52 AM
Received: 2/23/17 8:53 AM -0500
From: pe...@piermont.com (Perry E. Metzger)
To: crypto...@metzdowd.com
Quoting: "It is now practically possible to craft two colliding PDF
files and obtain a SHA-1 digital signature on the first PDF file which
can also be abused as a valid signature on the second PDF file."
http://shattered.io
Perry
====== End Forwarded Message ======
Note that E's VatTP uses SHA1.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Re: Hardware Management Modes: | Periwinkle
(408)356-8506 | If there's a mode, there's a | 16345 Englewood Ave
www.pwpconsult.com | failure mode. - Jerry Leichter | Los Gatos, CA 95032
--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+unsubscribe@googlegroups.com.
To post to this group, send email to fr...@googlegroups.com.
Visit this group at https://groups.google.com/group/friam.
For more options, visit https://groups.google.com/d/optout.
Cheers,
--MarkM
--MarkM
Dan Connolly
Feb 24, 2017, 8:17:41 AM2/24/17
to cap-...@googlegroups.com, Bill Frantz, e-l...@googlegroups.com
Do you mean that you have not considered VaTP secure for some time? Or that this new info convinces you that it's not secure?
Also, do you mean that there's some sort of line, with secure protocols on one side and insecure on the other? Surely security is a matter of degree. Very few things are secure against an attacker willing to spend 100 gpu-years to forge a message.
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+unsubscribe@googlegroups.com.
To post to this group, send email to cap-...@googlegroups.com.
Visit this group at https://groups.google.com/group/cap-talk.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CABHxS9jjiU1uf_ns19%2BEcqJ6QUpj_RRiToOX%2B7N7sHvBZtL63w%40mail.gmail.com.
Mark Miller
Feb 24, 2017, 2:41:15 PM2/24/17
to cap-...@googlegroups.com, Bill Frantz, e-l...@googlegroups.com
On Fri, Feb 24, 2017 at 5:17 AM, Dan Connolly <dc...@madmode.com> wrote:
Do you mean that you have not considered VaTP secure for some time? Or that this new info convinces you that it's not secure?
The new info.
Also, do you mean that there's some sort of line, with secure protocols on one side and insecure on the other? Surely security is a matter of degree. Very few things are secure against an attacker willing to spend 100 gpu-years to forge a message.
An imperfect analogy first:
In hardware logic, is there some sort of line, with zero on one side and one on the other? It is a matter of degree, but...
The transistor's S-curve relationship amplifying the gate signal into the response signal is smooth. It is very low on almost all of one side, very high on almost all of the other, and in a grey area for only a narrow band in the middle. This is good enough for us to successfully use it to approximate a digital logic gate, by making it extremely unlikely to be caught in the grey area.
A good crypto system has an exponential work factor curve. Linearly greater work in normal operation, such as by increasing key length, should be able to impose exponentially greater costs on attack, such as cryptanalysis. OTOH, computation, including cryptanalysis, gets exponentially cheaper over time, and may continue to do so until we approach physical limits. Or it may not -- even though we have stayed on the Moore's law exponential cost curve since long before Moore (see Moravec), there's still no good reason that it should be predictive. But let's assume so for the moment -- at least for computation that cannot be vastly sped up by quantum. The hash collision problem itself should be immune to much quantum speedup.
So how much linear costs should normal use pay to impose how great a cost on attack? Well, it depends on how long a time window it wants to safely open between use today and compromise tomorrow, and on where the physical limits are. But, IMO, once attack has been demonstrated to be physically possible at any cost that anyone is willing to pay, even as a one-off demonstration, then the window is already too narrow.
> Very few things are secure against an attacker willing to spend 100 gpu-years to forge a message.
Once anyone can pay for 100 gpu years today, how long till this cost becomes a cheap commodity for personal devices? Of current best-practice crypto, which are and which are not secure against this?
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAD2YivbQ2fsvd3S-F7Z8fe7WeG1K%3Dq8FGFz5t0v7LkY2dOS8NQ%40mail.gmail.com.
Cheers,
--MarkM
--MarkM
Ian Denhardt
Feb 24, 2017, 3:26:52 PM2/24/17
to Mark Miller, cap-...@googlegroups.com, Bill Frantz, e-l...@googlegroups.com
Quoting Mark Miller (2017-02-24 14:40:54)
> The new info.
The new info isn't really an earth-shattering revelation; SHA-1 has been
a very rickety bridge for some time. NIST deprecated it 6 years ago, and
folks had done the math re: how much compute it would take to find a
collision with known techniques. We knew this was coming.
I haven't looked closely enough at how the protocol uses SHA-1 to know
how devastating or not a collision attack would be. For anyone using it,
there should be efforts to move to a safer hash. But that's been true
for a while.
Unfortunately, ignoring warning signs and waiting until a crypto
protocol snaps in two is all too common.
-Ian
> The new info.
The new info isn't really an earth-shattering revelation; SHA-1 has been
a very rickety bridge for some time. NIST deprecated it 6 years ago, and
folks had done the math re: how much compute it would take to find a
collision with known techniques. We knew this was coming.
I haven't looked closely enough at how the protocol uses SHA-1 to know
how devastating or not a collision attack would be. For anyone using it,
there should be efforts to move to a safer hash. But that's been true
for a while.
Unfortunately, ignoring warning signs and waiting until a crypto
protocol snaps in two is all too common.
-Ian
Mark Miller
Feb 24, 2017, 3:38:14 PM2/24/17
to Ian Denhardt, cap-...@googlegroups.com, Bill Frantz, e-l...@googlegroups.com, Kenton Varda
I agree. We should have issued this message about VatTP once SHA-1's weaknesses were clear enough.
I doubt anyone will invest effort in fixing VatTP itself. Rather, I expect (and recommend!) uses that would use VatTP/CapTP/Pluribus to instead move to actively maintained successors like Cap'n Proto.
--
Cheers,
--MarkM
--MarkM
Bill Frantz
Feb 26, 2017, 12:26:02 PM2/26/17
to Ian Denhardt, Mark Miller, cap-...@googlegroups.com, e-l...@googlegroups.com
On 2/24/17 at 12:30 PM, i...@zenhack.net (Ian Denhardt) wrote:
>I haven't looked closely enough at how the protocol uses SHA-1 to know
>how devastating or not a collision attack would be. For anyone using it,
>there should be efforts to move to a safer hash. But that's been true
>for a while.
If someone wishes to fix VatTP, replacing 3DES and changing the
>I haven't looked closely enough at how the protocol uses SHA-1 to know
>how devastating or not a collision attack would be. For anyone using it,
>there should be efforts to move to a safer hash. But that's been true
>for a while.
hash function in the HMAC should be quite straight forward
(compared with moving to a maintained protocol). Going to AES
and SHA256 may even result in a performance improvement.
Protocol version negotiation is implemented, so an update should
choose a new version number. The path of least resistance is to
no longer support the current protocol, which makes upgrade of
existing applications a reboot the world experience, but
prevents protocol downgrade attacks.
Cheers - Bill
--------------------------------------------------------------
Bill Frantz | There are now so many exceptions to the
408-356-8506 | Fourth Amendment that it operates only by
www.pwpconsult.com | accident. - William Hugh Murray
Mark Miller
Feb 27, 2017, 1:14:53 PM2/27/17
to Kenton Varda, Ian Denhardt, cap-...@googlegroups.com, Bill Frantz, e-l...@googlegroups.com
Could you say more about how you currently layer on TLS and what the security implications are? Do you use self-signed with the Y property? Or do you use the PKI names? Something else?
On Mon, Feb 27, 2017 at 10:09 AM, Kenton Varda <ken...@sandstorm.io> wrote:
Note that Cap'n Proto at present doesn't specify any encryption, thus vacuously avoids using any broken crypto. (We suggest layering it on top of TLS for the time being.)Someday I hope to specify an official Cap'n Proto crypto transport based on the Noise protocol framework and choosing ChaCha20, Poly1305, BLAKE2, and X25519 as primitives. The goal in choosing something other than TLS would be to achieve zero-round-trip 3-party handoff via a pre-shared key provided by the introducer.-Kenton
Cheers,
--MarkM
--MarkM
Bill Frantz
Feb 28, 2017, 8:16:26 PM2/28/17
to Kenton Varda, Mark Miller, Ian Denhardt, cap-...@googlegroups.com, e-l...@googlegroups.com
E's VatTP uses SHA1 in a HMAC message authentication code
construction. HMAC has been specifically designed to protect
against collisions in the underlying hash function. As such,
VatTP is probably still secure, as the connection would timeout
before a man-in-the-middle attacker could forge the
authentication code.
On the other hand, it is time to move to the exit and use better algorithms.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Airline peanut bag: "Produced | Periwinkle
(408)356-8506 | in a facility that processes | 16345
Englewood Ave
www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos,
CA 95032
construction. HMAC has been specifically designed to protect
against collisions in the underlying hash function. As such,
VatTP is probably still secure, as the connection would timeout
before a man-in-the-middle attacker could forge the
authentication code.
On the other hand, it is time to move to the exit and use better algorithms.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Airline peanut bag: "Produced | Periwinkle
(408)356-8506 | in a facility that processes | 16345
Englewood Ave
www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos,
CA 95032
Reply all
Reply to author
Forward
0 new messages