Avoid recipient-compatibility SHA1

Ernst G Giessmann giessman at informatik.hu-berlin.de
Wed Nov 18 15:58:18 CET 2020 

Am 2020-11-18 um 14:30 schrieb Stefan Claas:
> On Tue, Nov 17, 2020 at 11:11 PM Ernst G Giessmann via Gnupg-users
> <gnupg-users at gnupg.org> wrote:
>> The answer to the second question is:
>>
>> A SHA-1 collision of two documents D1 and D2 means that the hash values
>> Hash(D1) and Hash(D2) are equal, which in turn means that (regardless
>> who signs) any signature of D1 (be it OpenPGP or SMIME) can also be used
>> as a signature of D2. Any signer and any key, if used with SHA-1!
>>
>> So if you got a harmless document D to sign, you must be sure that there
>> is no evil twin of it. This is usually the case if you are the author of
>> D, because the construction of an evil twin remains hard. But it is easy
>> to construct docs with the same hash value.
>>
>> /Ernst.
> Thanks for your reply! So if I check the SHA1 checksums
> from https://gnupg.org/download/integrity_check.html
> and Alice checks from another evil site the same files then we
> could have a problem with tools like openssl or the shasum tool.
No, here you will have no problem, because we all trust gnupg.org ;-)
They will never create two different packages with a SHA-1 collision.

The problem shows up, if Mallory creates two documents D1 and D2 being a 
SHA-1 collision.
D1 says that Alice will owe Bob 10 Euros, D2 says the Bob will owe Alice 
1000 Euros.

Anybody who signs D1 will sign at the same time also D2.  Now I come 
back to your example.
> But, sorry to ask again.
>
> I like to give an Example.
>
> Mallory has managed to listen to the clear text communications from
> Alice and Bob's online devices. Alice and Bob always use GnuPG
> to digitally sign their messages.
Fine. Unfortunally Alice accepts SHA-1 signed messages and Bob creates 
signatures based on SHA-1
> Mallory is *not* in possession of the private keys from Alice and Bob.
> Mallory has created a document which causes a collision and was
> signed with his own key.
No, Mallory does not sign the document, instead he sends D1 to Bob and 
asks him for his signature.
Bob is happy because he gets 10 Euros for free from Alice and 
immediately signs the document D1.
Mallory replaces D1 by D2, leaving the signature untouched.
> He sends this message to Alice. What does Alice see when she
> does a gpg --verify? I mean she should see, regardless if the
> message has a collision or not, that the message was digitally
> signed by Mallory's private key and not by Bob's private key.
Alice will see a signed by Bob document D2 with a valid signature (due 
to the fact that SHA1(D1)=SHA1(D2)), where Bob confirms, that he owes 
Alice money.
That Bob signs another document could be proven by showing the other 
document D1, but which document, D1 or D2, was actually signed remains 
nevertheless open. In this particular case, it seems very unlikely that 
Bob had signed D2, but it would have been even better if he had not used 
SHA-1 at all. And SHA-2(D1) is certainly different from SHA-2(D2).

/Ernst.

I suspect, that Mallory and Alice were in fact the same person ;-)

More information about the Gnupg-users mailing list