SHA-1 Collision /// is it okay to use for checksum?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SHA-1 Collision /// is it okay to use for checksum?

Goyal, Arpit

Hello,

 

There was some question raised about SHA-1 in recent blogs [1]. So I just happened to search our code and saw that if we use anything but SHA-1 in bouncy castle PGPSecretKey class, we get the following exception [2].

 

Just wanted to know from experts of BC, is this still safe?

 

Regards,

Arpit.

 

[1] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html  

 

[2] Exception:

org.bouncycastle.openpgp.PGPException: only SHA1 supported for key checksum calculations.

                at org.bouncycastle.openpgp.PGPSecretKey.buildSecretKeyPacket(Unknown Source)

                at org.bouncycastle.openpgp.PGPSecretKey.<init>(Unknown Source)

                at org.bouncycastle.openpgp.PGPSecretKey.<init>(Unknown Source)

                at org.bouncycastle.openpgp.PGPKeyRingGenerator.<init>(Unknown Source)

               

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: SHA-1 Collision /// is it okay to use for checksum?

Edward Ned Harvey (bouncycastle)
> From: Goyal, Arpit [mailto:[hidden email]]
>
> There was some question raised about SHA-1 in recent blogs [1]. So I just
> happened to search our code and saw that if we use anything but SHA-1 in
> bouncy castle PGPSecretKey class, we get the following exception [2].
>
> Just wanted to know from experts of BC, is this still safe?

I'm not "an expert of BC" but I know sha1 is considered broken, for the purposes of hash collision. It can still be used for other purposes, such as data integrity check in the face of a non-hostile opponent, or as the basis for a PRNG / DRBG.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: SHA-1 Collision /// is it okay to use for checksum?

Edward Ned Harvey (bouncycastle)
> From: Edward Ned Harvey (bouncycastle)
>
> sha1 is considered broken, for the
> purposes of hash collision.

Sorry, I meant to say "collision resistance." That's what I get for emailing while rushing.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: SHA-1 Collision /// is it okay to use for checksum?

Eckenfels. Bernd
In reply to this post by Goyal, Arpit
For PGP it is baked into the sprotocol, you would need to wait for a revision of the standards. In this specific case it is the secret key checksum which used to be a 16bit construct before. So there is a very Limited Risk (as you seldomly receive secret keys) but nothing you can do about it.

Unlike its name PGP is pretty oldfashioned, especially in cryptographic protocols.

Gruss
Bernd
--
http://www.seeburger.com
________________________________________
From: Goyal, Arpit [[hidden email]]
Sent: Sunday, March 05, 2017 11:12
To: [hidden email]
Subject: [dev-crypto] SHA-1 Collision /// is it okay to use for checksum?

Hello,

There was some question raised about SHA-1 in recent blogs [1]. So I just happened to search our code and saw that if we use anything but SHA-1 in bouncy castle PGPSecretKey class, we get the following exception [2].

Just wanted to know from experts of BC, is this still safe?

Regards,
Arpit.

[1] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

[2] Exception:
org.bouncycastle.openpgp.PGPException: only SHA1 supported for key checksum calculations.
                at org.bouncycastle.openpgp.PGPSecretKey.buildSecretKeyPacket(Unknown Source)
                at org.bouncycastle.openpgp.PGPSecretKey.<init>(Unknown Source)
                at org.bouncycastle.openpgp.PGPSecretKey.<init>(Unknown Source)
                at org.bouncycastle.openpgp.PGPKeyRingGenerator.<init>(Unknown Source)










SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: SHA-1 Collision /// is it okay to use for checksum?

Erdem Memisyazici
If I'm not mistaken the relevant bit is under
https://www.ietf.org/rfc/rfc2440.txt 11.2. Key IDs and Fingerprints

--Erdem "Adam" Memisyazici

On 03/05/2017 02:37 PM, Eckenfels. Bernd wrote:

> For PGP it is baked into the sprotocol, you would need to wait for a revision of the standards. In this specific case it is the secret key checksum which used to be a 16bit construct before. So there is a very Limited Risk (as you seldomly receive secret keys) but nothing you can do about it.
>
> Unlike its name PGP is pretty oldfashioned, especially in cryptographic protocols.
>
> Gruss
> Bernd
> --
> http://www.seeburger.com
> ________________________________________
> From: Goyal, Arpit [[hidden email]]
> Sent: Sunday, March 05, 2017 11:12
> To: [hidden email]
> Subject: [dev-crypto] SHA-1 Collision /// is it okay to use for checksum?
>
> Hello,
>
> There was some question raised about SHA-1 in recent blogs [1]. So I just happened to search our code and saw that if we use anything but SHA-1 in bouncy castle PGPSecretKey class, we get the following exception [2].
>
> Just wanted to know from experts of BC, is this still safe?
>
> Regards,
> Arpit.
>
> [1] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
>
> [2] Exception:
> org.bouncycastle.openpgp.PGPException: only SHA1 supported for key checksum calculations.
>                 at org.bouncycastle.openpgp.PGPSecretKey.buildSecretKeyPacket(Unknown Source)
>                 at org.bouncycastle.openpgp.PGPSecretKey.<init>(Unknown Source)
>                 at org.bouncycastle.openpgp.PGPSecretKey.<init>(Unknown Source)
>                 at org.bouncycastle.openpgp.PGPKeyRingGenerator.<init>(Unknown Source)
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: SHA-1 Collision /// is it okay to use for checksum?

Eckenfels. Bernd
Hello,

there are multiple places for hardcoded SHA-1 in OpenPGP RFC 4880:

one is the Integritiy protection mechanism (5.13), in the MDC only SHA-1 is possible. There is a discussion in section 13.11 on how to change that. The RFC claims it does not rely on collision resistance for this mechanism.

then there is the integrity check of the symmetric key password protection (5.5.3). This is (I believe) what the exception was about.

And finally the Key Fingerprint (12.2). This one requires a defined prefix and only the key package, not sure if there is any shatter potential here.

Gruss
Bernd
--
http://www.seeburger.com
________________________________________
From: Erdem Memisyazici [[hidden email]]
Sent: Monday, March 06, 2017 21:42
To: [hidden email]
Subject: Re: [dev-crypto] RE: SHA-1 Collision /// is it okay to use for checksum?

If I'm not mistaken the relevant bit is under
https://www.ietf.org/rfc/rfc2440.txt 11.2. Key IDs and Fingerprints

--Erdem "Adam" Memisyazici

On 03/05/2017 02:37 PM, Eckenfels. Bernd wrote:

> For PGP it is baked into the sprotocol, you would need to wait for a revision of the standards. In this specific case it is the secret key checksum which used to be a 16bit construct before. So there is a very Limited Risk (as you seldomly receive secret keys) but nothing you can do about it.
>
> Unlike its name PGP is pretty oldfashioned, especially in cryptographic protocols.
>
> Gruss
> Bernd
> --
> http://www.seeburger.com
> ________________________________________
> From: Goyal, Arpit [[hidden email]]
> Sent: Sunday, March 05, 2017 11:12
> To: [hidden email]
> Subject: [dev-crypto] SHA-1 Collision /// is it okay to use for checksum?
>
> Hello,
>
> There was some question raised about SHA-1 in recent blogs [1]. So I just happened to search our code and saw that if we use anything but SHA-1 in bouncy castle PGPSecretKey class, we get the following exception [2].
>
> Just wanted to know from experts of BC, is this still safe?
>
> Regards,
> Arpit.
>
> [1] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
>
> [2] Exception:
> org.bouncycastle.openpgp.PGPException: only SHA1 supported for key checksum calculations.
>                 at org.bouncycastle.openpgp.PGPSecretKey.buildSecretKeyPacket(Unknown Source)
>                 at org.bouncycastle.openpgp.PGPSecretKey.<init>(Unknown Source)
>                 at org.bouncycastle.openpgp.PGPSecretKey.<init>(Unknown Source)
>                 at org.bouncycastle.openpgp.PGPKeyRingGenerator.<init>(Unknown Source)
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>










SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.


Loading...