Fwd: RE: SHA1 collision found
Marina Brown
catskillmarina at gmail.com
Thu Feb 23 19:18:50 PST 2017
On 02/23/2017 04:09 PM, Mirimir wrote:
> FYI
>
> -------- Forwarded Message --------
> Subject: RE: SHA1 collision found
> Date: Thu, 23 Feb 2017 15:00:05 -0500
> From: Robert J. Hansen <rjh at sixdemonbag.org>
> To: gnupg-users at gnupg.org
>
> (I originally sent this off-list by mistake. Peter was kind enough to
> respond off-list and to suggest we take it back on-list. This email is
> a distillation of three different emails: my original, Peter's response,
> and a response to Peter.)
>
> =====
>
>> I already answered that here[1]. The use of SHA-1 in fingerprints is
>> not susceptible to a collision attack, so it's still safe. SHA-1 in
>> fingerprints is only susceptible to a second-preimage attack which is
>> much harder than a collision attack and unheard of for SHA-1.
>
> To which I said, "Create two keys with the same fingerprint. Sign a
> contract with one, then renege on the deal. When you get called into
> court, say "I never signed that, Your Honor!" and present the second
> key. This collision pretty much shatters the nonrepudiability of SHA-1
> signatures."
>
> To which Peter quite reasonably answered that the other person has a
> copy of the public key which was used to sign the document originally.
> Why should the fraudster's denial be believed?
>
> The answer is that to enforce a contract (at least here in the United
> States) you must be able to prove, based on a preponderance of the
> evidence, that the other person entered into a contract with you. So
> imagine this conversation:
>
> PLAINTIFF: "Your Honor, the defendant reneged on a $10,000 contract.
> Make him pay up."
> DEFENDANT: "I never signed anything, Your Honor."
> PLAINTIFF: "I have his key, it's right here."
> DEFENDANT: "That's not my key. This is my key."
> PLAINTIFF: "Of course that's what he claims! They have the same SHA-1
> fingerprint! He did that in order to deny his signature!"
> JUDGE: "So these keys are uniquely identified by the fingerprint?"
> (both parties agree)
> JUDGE: "And you have two keys that are identified by the same fingerprint?"
> (both parties agree)
> JUDGE: "And there's no way to tell which key is real?"
> (both parties agree)
> JUDGE: "Then we're stuck. There's no reason to prefer one key over
> another. Plaintiff, you have failed your burden of proof in
> establishing the defendant signed the contract."
>
> Now, you could establish proof some other way: let's say you made a
> videotape of the defendant signing the document. If you could introduce
> other supporting evidence (which might include other signatures on keys)
> you might be able to convince the judge the signature is enforceable.
> But there's nothing intrinsic to the signature itself which could
> convince the judge.
>
> So Peter is completely right to say "but there's no reason to believe
> one person over the other." Completely, absolutely right. But the
> person asking the court to enforce a contract must present a reason to
> believe them over the defendant.
>
> I hope this clarifies my answer!
>
> (Peter also rightly remarked that he thought nonrepudiability in OpenPGP
> was kind of iffy anyway. He and I are in complete agreement on this.
> OpenPGP has always had very iffy nonrepudiability. With this SHA-1
> attack, I feel the threshold has been crossed and we need to consider it
> repudiable.)
>
>
What does it take to create 2 keys with the same SHA-1 sum ? My limited
imagination thinks it would take a long time or a huge amount of
processing power.
--- Marina
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20170223/24b78145/attachment.sig>
More information about the cypherpunks
mailing list