I'm with Warren: I don't see how the chosen-prefix collision affects DNSSEC.
On Jan 8, 2020, at 12:18 PM, Viktor Dukhovni <[email protected]> wrote: > > On Wed, Jan 08, 2020 at 02:53:42PM -0500, Warren Kumari wrote: > >> Can someone please explain to me in baby words how the SHA-1 issue affects >> DNSSEC? [...] but SHA-1 is still 2nd-preimage resistant - given the hash >> a94a8fe5ccb19ba61c4c0873d391e987982fbbd3, it is infeasible to find another >> message which hashes to this. > > That's still true, but the attack leverages chosen-prefix collisions against > signatures, in which the tail of the data signed is controlled by an attacker. > Not 2nd pre-image attacks on a hash of a trusted message. > >> So, I *could* see an attacker being able to make 2 records or keys >> which have the same hash -- but, meh, that's not actually useful to >> them. > > Well, there's your mistake, because with "chosen-prefix" attacks, the second > RRset being signed need not have the same owner or type, thus a weird TXT > RRset for a benign owner may SHA-1 hash to the same value as an attacker > selected DNSKEY RRset for the zone (that includes a KSK matching the DS > RR, but also keys controlled by the attacker). True, but irrelevant. An attacker can create a DNSKEY RRset for something they don't control already today. > >> eg: The DS for dns-oarc.net is: 20899 8 1 >> 6714FF6879371C5DC19BB0389F9D497520448A2E - an attacker cannot make a >> new key which hashes to this. > > Yes, that's why I decided to follow up on Mukun'd post. Digest type > 1 (SHA-1) in DS RRs is mostly harmless, though again not recommended. > >> They could in theory make 2 DNSKEYs >> which have the same hash (although, because of the format of DNSKEYs I >> don't think they can do this in practice), > > No, they could do much worse, they could make a TXT RRset, that > secretly matches a DNSKEY RRset (at least for a given signature > period, the collision will break once the RRset is resigned with > a different inception/expiration interval). A DNSKEY RR is only useful if there is a matching DS in the parent zone that matches the DNSKEY. In your scenario, that would require a preimage attack. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
