Fwd: RE: SHA1 collision found

[Marina Brown]

On 02/23/2017 04:09 PM, Mirimir wrote:
> FYI
> 
> -------- Forwarded Message --------
> Subject: RE: SHA1 collision found
> Date: Thu, 23 Feb 2017 15:00:05 -0500
> From: Robert J. Hansen <rjh at sixdemonbag.org>
> To: gnupg-users at gnupg.org
> 
> (I originally sent this off-list by mistake.  Peter was kind enough to
> respond off-list and to suggest we take it back on-list.  This email is
> a distillation of three different emails: my original, Peter's response,
> and a response to Peter.)
> 
> =====
> 
>> I already answered that here[1]. The use of SHA-1 in fingerprints is 
>> not susceptible to a collision attack, so it's still safe. SHA-1 in 
>> fingerprints is only susceptible to a second-preimage attack which is 
>> much harder than a collision attack and unheard of for SHA-1.
> 
> To which I said, "Create two keys with the same fingerprint.  Sign a
> contract with one, then renege on the deal.  When you get called into
> court, say "I never signed that, Your Honor!" and present the second
> key.  This collision pretty much shatters the nonrepudiability of SHA-1
> signatures."
> 
> To which Peter quite reasonably answered that the other person has a
> copy of the public key which was used to sign the document originally.
> Why should the fraudster's denial be believed?
> 
> The answer is that to enforce a contract (at least here in the United
> States) you must be able to prove, based on a preponderance of the
> evidence, that the other person entered into a contract with you.  So
> imagine this conversation:
> 
> PLAINTIFF: "Your Honor, the defendant reneged on a $10,000 contract.
> Make him pay up."
> DEFENDANT: "I never signed anything, Your Honor."
> PLAINTIFF: "I have his key, it's right here."
> DEFENDANT: "That's not my key.  This is my key."
> PLAINTIFF: "Of course that's what he claims!  They have the same SHA-1
> fingerprint!  He did that in order to deny his signature!"
> JUDGE: "So these keys are uniquely identified by the fingerprint?"
> (both parties agree)
> JUDGE: "And you have two keys that are identified by the same fingerprint?"
> (both parties agree)
> JUDGE: "And there's no way to tell which key is real?"
> (both parties agree)
> JUDGE: "Then we're stuck.  There's no reason to prefer one key over
> another.  Plaintiff, you have failed your burden of proof in
> establishing the defendant signed the contract."
> 
> Now, you could establish proof some other way: let's say you made a
> videotape of the defendant signing the document.  If you could introduce
> other supporting evidence (which might include other signatures on keys)
> you might be able to convince the judge the signature is enforceable.
> But there's nothing intrinsic to the signature itself which could
> convince the judge.
> 
> So Peter is completely right to say "but there's no reason to believe
> one person over the other."  Completely, absolutely right.  But the
> person asking the court to enforce a contract must present a reason to
> believe them over the defendant.
> 
> I hope this clarifies my answer!
> 
> (Peter also rightly remarked that he thought nonrepudiability in OpenPGP
> was kind of iffy anyway.  He and I are in complete agreement on this.
> OpenPGP has always had very iffy nonrepudiability.  With this SHA-1
> attack, I feel the threshold has been crossed and we need to consider it
> repudiable.)
> 
> 

What does it take to create 2 keys with the same SHA-1 sum ? My limited
imagination thinks it would take a long time or a huge amount of
processing power.

--- Marina

> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20170223/24b78145/attachment.sig>