[16993] in cryptography@c2.net mail archive
MD5 collision in X509 certificates
daemon@ATHENA.MIT.EDU (Ben Laurie)
Thu Mar 3 19:15:00 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 02 Mar 2005 12:35:50 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: Cryptography <cryptography@metzdowd.com>
Cc: Dan Kaminsky <dan@doxpara.com>
Cute. I expect we'll see more of this kind of thing.
http://eprint.iacr.org/2005/067
Executive summary: calculate chaining values (called IV in the paper) of
first part of the CERT, find a colliding block for those chaining
values, generate an RSA key that has the collision as the first part of
its public key, profit.
BTW, reading this made me notice that Dan Kaminsky's attacks are wrong
in detail, if not in essence. Because the output of the MD5 block
function depends on the chaining values from previous blocks, it is not
the case that you can prepend arbitrary material to your colliding
block, as he claims. However, you can (according to the paper above)
generate collisions with any IV, so if you know what the prepended
material is, then Kaminsky's attack will still work.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com