> We note that classical collisions and chosen-prefix collisions do not threaten all usages of SHA-1. In particular, HMAC-SHA-1 seems relatively safe, and preimage resistance (aka ability to invert the hash function) of SHA-1 remains unbroken as of today.
Nice to see this bit of intellectual honesty. Would be even nicer if they had explained what that means in terms of PGP keys.
It means if someone you want to impersonate uses the Web Of Trust, i.e. their key is signed by other people whose keys have been signed the same way, you can generate a GPG key for which all of these signatures are still valid.
For example, if an attacker gains access to a victim email account, they could send to their contacts a "trusted" key (as explained above) and then use it to send signed documents to the victim's contacts.
This would defeat an adversary "paranoid" enough to check a key signature, but not paranoid enough to obtain a clear explaination/confirmation of why the key changed...
>This would defeat an adversary "paranoid" enough to check a key signature, but not paranoid enough to obtain a clear explaination/confirmation of why the key changed...
Thereby turning the signal intelligence problem into a human intelligence problem.
> It means if someone you want to impersonate uses the Web Of Trust, i.e. their key is signed by other people whose keys have been signed the same way, you can generate a GPG key for which all of these signatures are still valid.
I'm not really knowledgeable about the implementation details of GPG. Mind explaining how this follows?
> It means if someone you want to impersonate uses the Web Of Trust, i.e. their key is signed by other people whose keys have been signed the same way, you can generate a GPG key for which all of these signatures are still valid.
No...
> For example, if an attacker gains access to a victim email account, they could send to their contacts a "trusted" key (as explained above) and then use it to send signed documents to the victim's contacts.
Ok... But in this scenario the attacker has the victim’s new private key, so they don’t need to create a collision (using OP). They can just use the new private key to sign the documents. Right?
This allows you to take two messages and append some data to both of them which causes the modified versions to have the same SHA-1 hash - but you need to modify both messages, and in order to use this in an attack you need to set up a scenario where the SHA-1 hash of one of your modified messages is trusted for some purpose. Creating a message with the same hash as another, existing message requires a second-preimage attack which is much harder and not feasible for any cryptographic hash that's currently in use.
HMACs do not require collision resistance from the underlying hash to provide secure message authentication. HMAC-MD5 is still considered "secure", although that doesn't mean you should use it.
Nice to see this bit of intellectual honesty. Would be even nicer if they had explained what that means in terms of PGP keys.