[17052] in cryptography@c2.net mail archive
Re: Colliding X.509 Certificates
daemon@ATHENA.MIT.EDU (Olle Mulmo)
Sun Mar 13 14:42:26 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
X-PDC-Rcpt-To: unknown
X-PDC-Mail-From: mulmo@pdc.kth.se
In-Reply-To: <5719.193.150.166.44.1109940282.squirrel@mail.joergschneider.com>
Cc: Olle Mulmo <mulmo@pdc.kth.se>,
"Weger, B.M.M. de" <b.m.m.d.weger@TUE.nl>, cryptography@metzdowd.com
From: Olle Mulmo <mulmo@pdc.kth.se>
Date: Thu, 10 Mar 2005 11:45:09 +0100
To: "Joerg Schneider" <js@joergschneider.com>
Seems to me that a CA can nullify this attack by choosing a serial=20
number or RDN component (after all, a CA should vet the DN and not=20
simply sign what's in the PKCS#10 request), such that the public key=20
does not end up at an "appropriate" DER-encoded offset in the=20
certificate. Or am I completely lost?
/Olle
On Mar 4, 2005, at 13:44, Joerg Schneider wrote:
> Benne,
>
>> One could e.g. construct the to-be-signed parts of the certificates,
>> and get the one certificate signed by a CA. Then a valid signature =
for
>> the other certificate is obtained, while the CA has not seen proof of
>> possession of the private key of this second certificate.
>
>> =46rom the paper I understand that this results in two certificates,=20=
>> which
> are identical except for the public key and that the attacker knows =
the
> private keys for both.
>
> Do you think it would be possible to modify the attack, to get=20
> different
> Subject DNs or SubjectAltNames under the control of the attacker? This
> would scare me more.
>
> On a different note:
>
> In a real life scenario a CA would accept PKCS#10 requests, create the=20=
> TBS
> using parts of the requests, providing other parts like=20
> notBefore/notAfter
> and the serialNumber, and finally sign the result. This would make the
> attack more difficult, as the attacker would have to guess, what the =
CA
> makes out of the request, including time of issuance and serialNumber.
>
> Do you think choosing the serialNumber in a way that it cannot be=20
> guessed
> by the attacker would be an effective way to counter collsion based
> attacks on CAs?
>
> Best regards,
>
> J=F6rg
>
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to=20
> majordomo@metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
