[dns-operations] SHA-1 chosen-prefix collisions

Tony Finch dot at dotat.at
Fri Jan 10 02:04:09 UTC 2020


Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> A chosen-prefix attack is a powerful tool, a message with metadata P and
> payload S can now have the same digest as a message with completely
> different, chosen by the attacker metadata P' and payload S' (though
> ultimately the combined message lengths need to be the same).

There are some really nice diagrams of the overall shape of these attacks
on the page about the MD5 rogue CA chosen prefix collision
https://www.win.tue.nl/hashclash/rogue-ca/

especially the second diagram in section 3.5
https://www.win.tue.nl/hashclash/rogue-ca/images/diffIV.png

> So the present attack requires a suffix of ~640 rather than ~200 bytes.

Oh, that might make it a bit harder. This is shown in figure 7 in the
SHAmbles paper?

> Perhaps it is possible to split the suffix over multiple RRs,

Very tricky. I get the impression from table 1 in the SHAttered paper
http://shattered.io/static/shattered.pdf and figure 6 in the SHAmbles
paper https://eprint.iacr.org/2020/014.pdf that the constraints on the
collision blocks are too dense to overlay on parts of a message with
significant syntax. (Unless maybe you are Ange Albertini.)

> or at least over multiple (sub)strings in a single TXT RR.

More plausible, if the length bytes in the TXT RDATA of the two
colliding messages can be made to add up to the same total. (They don't
have to coincide...)

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Irish Sea: Northwest 4 to 6, backing south 6 to gale 8, perhaps severe gale 9
later. Slight or moderate, becoming rough or very rough. Occasional rain
later. Good, occasionally moderate.



More information about the dns-operations mailing list