Viktor Dukhovni <[email protected]> wrote: > > A chosen-prefix attack is a powerful tool, a message with metadata P and > payload S can now have the same digest as a message with completely > different, chosen by the attacker metadata P' and payload S' (though > ultimately the combined message lengths need to be the same).
There are some really nice diagrams of the overall shape of these attacks on the page about the MD5 rogue CA chosen prefix collision https://www.win.tue.nl/hashclash/rogue-ca/ especially the second diagram in section 3.5 https://www.win.tue.nl/hashclash/rogue-ca/images/diffIV.png > So the present attack requires a suffix of ~640 rather than ~200 bytes. Oh, that might make it a bit harder. This is shown in figure 7 in the SHAmbles paper? > Perhaps it is possible to split the suffix over multiple RRs, Very tricky. I get the impression from table 1 in the SHAttered paper http://shattered.io/static/shattered.pdf and figure 6 in the SHAmbles paper https://eprint.iacr.org/2020/014.pdf that the constraints on the collision blocks are too dense to overlay on parts of a message with significant syntax. (Unless maybe you are Ange Albertini.) > or at least over multiple (sub)strings in a single TXT RR. More plausible, if the length bytes in the TXT RDATA of the two colliding messages can be made to add up to the same total. (They don't have to coincide...) Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Irish Sea: Northwest 4 to 6, backing south 6 to gale 8, perhaps severe gale 9 later. Slight or moderate, becoming rough or very rough. Occasional rain later. Good, occasionally moderate. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
