Fwd: [friam] Fwd: [Cryptography] Practical SHA-1 collisions

[Mark S. Miller]

Bill writes "Note that E's VatTP uses SHA1."

VatTP, and therefore its use by CapTP and distributed-E, should no longer be considered secure.

---------- Forwarded message ----------
From: Bill Frantz <fra...@pwpconsult.com>
Date: Thu, Feb 23, 2017 at 8:57 PM
Subject: [friam] Fwd: [Cryptography] Practical SHA-1 collisions
To: Design <fr...@googlegroups.com>


====== Forwarded Message ======
Date: 2/23/17 8:52 AM
Received: 2/23/17 8:53 AM -0500
From: pe...@piermont.com (Perry E. Metzger)
To: crypto...@metzdowd.com

Quoting: "It is now practically possible to craft two colliding PDF
files and obtain a SHA-1 digital signature on the first PDF file which
can also be abused as a valid signature on the second PDF file."

http://shattered.io

Perry

====== End Forwarded Message ======

Note that E's VatTP uses SHA1.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | Re: Hardware Management Modes: | Periwinkle
(408)356-8506      | If there's a mode, there's a   | 16345 Englewood Ave
www.pwpconsult.com | failure mode. - Jerry Leichter | Los Gatos, CA 95032

--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+unsubscribe@googlegroups.com.
To post to this group, send email to fr...@googlegroups.com.
Visit this group at https://groups.google.com/group/friam.
For more options, visit https://groups.google.com/d/optout.

--

    Cheers,
    --MarkM

[Dan Connolly]

Do you mean that you have not considered VaTP secure for some time? Or that this new info convinces you that it's not secure?

Also, do you mean that there's some sort of line, with secure protocols on one side and insecure on the other? Surely security is a matter of degree. Very few things are secure against an attacker willing to spend 100 gpu-years to forge a message.

--
Dan Connolly
http://www.madmode.com

You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+unsubscribe@googlegroups.com.
To post to this group, send email to cap-...@googlegroups.com.
Visit this group at https://groups.google.com/group/cap-talk.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CABHxS9jjiU1uf_ns19%2BEcqJ6QUpj_RRiToOX%2B7N7sHvBZtL63w%40mail.gmail.com.

[Mark Miller]

On Fri, Feb 24, 2017 at 5:17 AM, Dan Connolly <dc...@madmode.com> wrote:

Do you mean that you have not considered VaTP secure for some time? Or that this new info convinces you that it's not secure?

The new info.

 

Also, do you mean that there's some sort of line, with secure protocols on one side and insecure on the other? Surely security is a matter of degree. Very few things are secure against an attacker willing to spend 100 gpu-years to forge a message.

An imperfect analogy first:

In hardware logic, is there some sort of line, with zero on one side and one on the other? It is a matter of degree, but...

The transistor's S-curve relationship amplifying the gate signal into the response signal is smooth. It is very low on almost all of one side, very high on almost all of the other, and in a grey area for only a narrow band in the middle. This is good enough for us to successfully use it to approximate a digital logic gate, by making it extremely unlikely to be caught in the grey area.

A good crypto system has an exponential work factor curve. Linearly greater work in normal operation, such as by increasing key length, should be able to impose exponentially greater costs on attack, such as cryptanalysis. OTOH, computation, including cryptanalysis, gets exponentially cheaper over time, and may continue to do so until we approach physical limits. Or it may not -- even though we have stayed on the Moore's law exponential cost curve since long before Moore (see Moravec), there's still no good reason that it should be predictive. But let's assume so for the moment -- at least for computation that cannot be vastly sped up by quantum. The hash collision problem itself should be immune to much quantum speedup.

So how much linear costs should normal use pay to impose how great a cost on attack? Well, it depends on how long a time window it wants to safely open between use today and compromise tomorrow, and on where the physical limits are. But, IMO, once attack has been demonstrated to be physically possible at any cost that anyone is willing to pay, even as a one-off demonstration, then the window is already too narrow.

>  Very few things are secure against an attacker willing to spend 100 gpu-years to forge a message.

Once anyone can pay for 100 gpu years today, how long till this cost becomes a cheap commodity for personal devices? Of current best-practice crypto, which are and which are not secure against this?

 

To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAD2YivbQ2fsvd3S-F7Z8fe7WeG1K%3Dq8FGFz5t0v7LkY2dOS8NQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

  Cheers,
  --MarkM

[Mark Miller]

I agree. We should have issued this message about VatTP once SHA-1's weaknesses were clear enough.

I doubt anyone will invest effort in fixing VatTP itself. Rather, I expect (and recommend!) uses that would use VatTP/CapTP/Pluribus to instead move to actively maintained successors like Cap'n Proto.

On Fri, Feb 24, 2017 at 12:30 PM, Ian Denhardt <i...@zenhack.net> wrote:

Quoting Mark Miller (2017-02-24 14:40:54)

>    The new info.

The new info isn't really an earth-shattering revelation; SHA-1 has been
a very rickety bridge for some time. NIST deprecated it 6 years ago, and
folks had done the math re: how much compute it would take to find a
collision with known techniques. We knew this was coming.

I haven't looked closely enough at how the protocol uses SHA-1 to know
how devastating or not a collision attack would be. For anyone using it,
there should be efforts to move to a safer hash. But that's been true
for a while.

Unfortunately, ignoring warning signs and waiting until a crypto
protocol snaps in two is all too common.

-Ian

--

  Cheers,
  --MarkM

[Corbin Simpson]

Apropos of this, I've started figuring out how to do Capn for Monte. I didn't want to say anything until I had a working demo, but I figured I should mention it now.

--
You received this message because you are subscribed to the Google Groups "e-lang" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e-lang+unsubscribe@googlegroups.com.
To post to this group, send email to e-l...@googlegroups.com.
Visit this group at https://groups.google.com/group/e-lang.
To view this discussion on the web visit https://groups.google.com/d/msgid/e-lang/CAK5yZYgcFEsT1dS7BacxC6Pez-BCjiCp6TtptwWB3fbT94P14A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

When the facts change, I change my mind. What do you do, sir? ~ Keynes

Corbin Simpson
<MostAwe...@gmail.com>

[Mark Miller]

Could you say more about how you currently layer on TLS and what the security implications are? Do you use self-signed with the Y property? Or do you use the PKI names? Something else?

On Mon, Feb 27, 2017 at 10:09 AM, Kenton Varda <ken...@sandstorm.io> wrote:

Note that Cap'n Proto at present doesn't specify any encryption, thus vacuously avoids using any broken crypto. (We suggest layering it on top of TLS for the time being.)

Someday I hope to specify an official Cap'n Proto crypto transport based on the Noise protocol framework and choosing ChaCha20, Poly1305, BLAKE2, and X25519 as primitives. The goal in choosing something other than TLS would be to achieve zero-round-trip 3-party handoff via a pre-shared key provided by the introducer.

-Kenton

On Fri, Feb 24, 2017 at 12:37 PM, Mark Miller <eri...@gmail.com> wrote:

--

  Cheers,
  --MarkM