On Feb 23, 2017, at 9:08 PM, valdis.kletni...@vt.edu wrote: > On Thu, 23 Feb 2017 20:56:28 -0500, "Patrick W. Gilmore" said: > >> According to the blog post, you can create two documents which have the same >> hash, but you do not know what that hash is until the algorithm finishes. You >> cannot create a document which matches a pre-existing hash, i.e. the one in >> the >> signed doc. > > You missed the point. I generate *TWO* documents, with different terms but > the > same hash. I don't care if it matches anything else's hash, as long as these > two > documents have the same hash. I get you to sign the hash on the *ONE* > document I present to you > that is favorable to you. I then take your signature and transfer it to the > *OTHER* document. > > No, I can't create a collision to a document you produced, or do anything to a > document you already signed. But if I'm allowed to take it and make "minor > formatting changes", or if I can just make sure I have the last turn in the > back-and-forth negotiating... because the problem is if I can get you to sign > a > plaintext of my choosing….
I did miss the point. Thanks for setting me straight.
A couple things will make this slightly less useful for the attacker:
1) How many people are not going to keep a copy? Once both docs are be
found to have the same hash, well, game over.
2) The headers will be very strange indeed. The way this works is
Google twiddled with the headers to make them look the same. That
is probably pretty obvious if you look for it.
Oh, and third: Everyone should stop using SHA-1 anyway. :-)
--
TTFN,
patrick
signature.asc
Description: Message signed with OpenPGP
