Avoid recipient-compatibility SHA1

Stefan Claas spam.trap.mailing.lists at gmail.com
Wed Nov 18 15:20:00 CET 2020


On Wed, Nov 18, 2020 at 2:30 PM Stefan Claas
<spam.trap.mailing.lists at gmail.com> wrote:
>
> On Tue, Nov 17, 2020 at 11:11 PM Ernst G Giessmann via Gnupg-users
> <gnupg-users at gnupg.org> wrote:
> >
> > The answer to the second question is:
> >
> > A SHA-1 collision of two documents D1 and D2 means that the hash values
> > Hash(D1) and Hash(D2) are equal, which in turn means that (regardless
> > who signs) any signature of D1 (be it OpenPGP or SMIME) can also be used
> > as a signature of D2. Any signer and any key, if used with SHA-1!
> >
> > So if you got a harmless document D to sign, you must be sure that there
> > is no evil twin of it. This is usually the case if you are the author of
> > D, because the construction of an evil twin remains hard. But it is easy
> > to construct docs with the same hash value.
> >
> > /Ernst.
>
> Thanks for your reply! So if I check the SHA1 checksums
> from https://gnupg.org/download/integrity_check.html
> and Alice checks from another evil site the same files then we
> could have a problem with tools like openssl or the shasum tool.

evil mirror with 'same' files ...

> But, sorry to ask again.
>
> I like to give an Example.
>
> Mallory has managed to listen to the clear text communications from
> Alice and Bob's online devices. Alice and Bob always use GnuPG
> to digitally sign their messages.

prior encrypting.

> Mallory is *not* in possession of the private keys from Alice and Bob.
> Mallory has created a document which causes a collision and was
> signed with his own key.
>
> He sends this message to Alice. What does Alice see when she
> does a gpg --verify? I mean she should see, regardless if the
> message has a collision or not, that the message was digitally
> signed by Mallory's private key and not by Bob's private key.

The one thing I could currently see is if Alice would make a public
statement on her web site, for example, digitally signed by her
with SHA1 and that Mallory would upload a collided document
with a (completely) different content.

So the question for me would be if a collision could be crafted,
let's say for an important business contract etc., if the different
content of a document would make the same sense, like the one
from the original document.

Regards
Stefan



More information about the Gnupg-users mailing list