Am 2020-11-18 um 14:30 schrieb Stefan Claas:
On Tue, Nov 17, 2020 at 11:11 PM Ernst G Giessmann via Gnupg-users
<gnupg-users@gnupg.org> wrote:
The answer to the second question is:
A SHA-1 collision of two documents D1 and D2 means that the hash values
Hash(D1) and Hash(D2) are equal, which in turn means that (regardless
who signs) any signature of D1 (be it OpenPGP or SMIME) can also be used
as a signature of D2. Any signer and any key, if used with SHA-1!
So if you got a harmless document D to sign, you must be sure that there
is no evil twin of it. This is usually the case if you are the author of
D, because the construction of an evil twin remains hard. But it is easy
to construct docs with the same hash value.
/Ernst.
Thanks for your reply! So if I check the SHA1 checksums
from https://gnupg.org/download/integrity_check.html
and Alice checks from another evil site the same files then we
could have a problem with tools like openssl or the shasum tool.
No, here you will have no problem, because we all trust gnupg.org ;-)
They will never create two different packages with a SHA-1 collision.
The problem shows up, if Mallory creates two documents D1 and D2 being a
SHA-1 collision.
D1 says that Alice will owe Bob 10 Euros, D2 says the Bob will owe Alice
1000 Euros.
Anybody who signs D1 will sign at the same time also D2. Now I come
back to your example.
But, sorry to ask again.
I like to give an Example.
Mallory has managed to listen to the clear text communications from
Alice and Bob's online devices. Alice and Bob always use GnuPG
to digitally sign their messages.
Fine. Unfortunally Alice accepts SHA-1 signed messages and Bob creates
signatures based on SHA-1
Mallory is *not* in possession of the private keys from Alice and Bob.
Mallory has created a document which causes a collision and was
signed with his own key.
No, Mallory does not sign the document, instead he sends D1 to Bob and
asks him for his signature.
Bob is happy because he gets 10 Euros for free from Alice and
immediately signs the document D1.
Mallory replaces D1 by D2, leaving the signature untouched.
He sends this message to Alice. What does Alice see when she
does a gpg --verify? I mean she should see, regardless if the
message has a collision or not, that the message was digitally
signed by Mallory's private key and not by Bob's private key.
Alice will see a signed by Bob document D2 with a valid signature (due
to the fact that SHA1(D1)=SHA1(D2)), where Bob confirms, that he owes
Alice money.
That Bob signs another document could be proven by showing the other
document D1, but which document, D1 or D2, was actually signed remains
nevertheless open. In this particular case, it seems very unlikely that
Bob had signed D2, but it would have been even better if he had not used
SHA-1 at all. And SHA-2(D1) is certainly different from SHA-2(D2).
/Ernst.
I suspect, that Mallory and Alice were in fact the same person ;-)
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
