SHA1 broken?

Jason Harris jharris at
Thu Feb 17 22:05:56 CET 2005

On Thu, Feb 17, 2005 at 08:16:56AM +0100, Werner Koch wrote:
> On Wed, 16 Feb 2005 15:05:07 -0500, Jason Harris said:
> > The key creation time can be varied at will, and, I presume, v4 RSA
> That's true.  However as long as we don't know how to calculate such a
> block (and I just guessed that it is similar to the MD5 attack - which
> is not necessary true) we don't know whether 4 bytes at a fixed offset
> are sufficient.
> > key material can be too, a la v3 "vanity" keyids.  But, is duplicating
> No, they are not vulnerable like v3 keyids.

If RSA key material can be successfully manipulated to produce a
desired result in a v3 key, why can't it also be manipulated in
a v4 key?  Granted, the desired result is a SHA-1 collision, but
being able to modify key material opens up most of a v4 pubkey
packet to manipulation.

> > While two v4 keys with the same fingerprint could "steal" userid
> > certifications made by others, any signatures produced by the
> > colliding keys, including selfsigs on their userids, can _not_
> They world harm the WoT or any other method of checking the identity
> of a key because you usually compare the fingerprints out of band.

Of course.  However, if the key creation time, type, and number of
bits are checked, they may be found to be different among keys with
identical fingerprints.  If not, we will have to "pgpdump -i" them
to detect changes in the key material.  Either way, each key with a
colliding fingerprint can be placed in a keyring individually and
used to check signatures purportedly from the key.  If any of the
key material - not just timestamps - varies among the keys, one
should be able to isolate the key that actually made the valid
signature (or, if you prefer, makes the signature valid).

Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at _|_ web:
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050217/ea26ed00/attachment.pgp

More information about the Gnupg-users mailing list