SHA1 collision found

Ingo Klöcker kloecker at kde.org
Fri Feb 24 11:47:35 CET 2017


On Thursday 23 February 2017 23:38:36 Leo Gaspard wrote:
> On 02/23/2017 09:00 PM, Robert J. Hansen wrote:
> > [...]
> > 
> > To which I said, "Create two keys with the same fingerprint.  Sign a
> > contract with one, then renege on the deal.  When you get called
> > into court, say "I never signed that, Your Honor!" and present the
> > second key.  This collision pretty much shatters the
> > nonrepudiability of SHA-1 signatures."
> > 
> > To which Peter quite reasonably answered that the other person has a
> > copy of the public key which was used to sign the document
> > originally.  Why should the fraudster's denial be believed?
> > 
> > The answer is that to enforce a contract (at least here in the
> > United States) you must be able to prove, based on a preponderance
> > of the evidence, that the other person entered into a contract with
> > you.  So imagine this conversation:
> > 
> > PLAINTIFF: "Your Honor, the defendant reneged on a $10,000 contract.
> >  Make him pay up." DEFENDANT: "I never signed anything, Your
> > Honor."
> > PLAINTIFF: "I have his key, it's right here."
> > DEFENDANT: "That's not my key.  This is my key."
> > PLAINTIFF: "Of course that's what he claims!  They have the same
> > SHA-1 fingerprint!  He did that in order to deny his signature!"
> > JUDGE: "So these keys are uniquely identified by the fingerprint?"
> > (both parties agree)
> > JUDGE: "And you have two keys that are identified by the same
> > fingerprint?" (both parties agree)
> > JUDGE: "And there's no way to tell which key is real?"
> > (both parties agree)
> > JUDGE: "Then we're stuck.  There's no reason to prefer one key over
> > another.  Plaintiff, you have failed your burden of proof in
> > establishing the defendant signed the contract."
> I'd like to respectfully disagree on this point. SHA1 is currently
> vulnerable only to collision attacks, which means that in order to
> have two keys with the same fingerprint they both have to be created
> by the same person (up to a random collision). Thus the defendant.
> And this is enough to prove that he did sign the contract with the
> key he claims he doesn't own.
> 
> Is there any flaw in this logic?

The second key the defendant created won't have his name as user id. 
Moreover, after creating this second key he will have disposed of the 
private key (and after uploading the public key to a keyserver probably 
also of the public key), so that there's no proof that he was ever in 
possession of this key.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20170224/8deebc13/attachment.sig>


More information about the Gnupg-users mailing list