On Thu, 2009-04-30 at 13:56 +0200, Eugen Leitl wrote: > > http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
> Wow! These slides say that they discovered a way to find collisions > in SHA-1 at a cost of only 2^52 computations. If this turns out to > be right (and the authors are respected cryptographers -- the kind of > people who really hate to be wrong about something like this) then it > is very exciting! I cannot derive a realistic threat model from the very general statements in the slides. In the case of, for example, the Debian organization, which uses SHA-1 keys to check in code so that it's always clear with a distributed network of developers who made what changes, What threats must they now guard against and what corrective measures ought they take? Can a third-party attacker now forge someone's signature and check in code containing a backdoor under someone else's key? Such code could be loaded on a "poisoned" server, downloaded, and executed on millions of target machines with devastating effect and no way to catch the attacker. Can a rogue developer now construct a valid code vector B, having the same signature as some of his own (other) code A, thus bypassing the signature check and inserting a backdoor? The scenario is the same with a "poisoned" server but, once detected, the attacker would be identifiable. Is it the case that a constructed hash collision between A and B can be done by a third party but would be highly unlikely to contain any executable or sensible code at all? In this case the threat is serious, but mainly limited to vandalism rather than exploits. Is it the case that a constructed hash collision between A and B can only be done by the developer of both A and B, but would be highly unlikely to contain any executable or sensible code at all? In this case the threat is very minor, because the identity of the "vandal" would be instantly apparent. Bear --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com