[16994] in cryptography@c2.net mail archive
Re: MD5 collision in X509 certificates
daemon@ATHENA.MIT.EDU (Dan Kaminsky)
Thu Mar 3 19:15:53 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 02 Mar 2005 08:01:27 -0800
From: Dan Kaminsky <dan@doxpara.com>
To: Ben Laurie <ben@algroup.co.uk>
Cc: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <4225B326.4070706@algroup.co.uk>
Ben,
Semantic gap, and I do apologize if I didn't make this clear. Wang
adapts to any initial state, so you can create arbitrary content to
prepend your collision set with, adapt to its output, and then append
whatever you like. The temporal ordering is indeed important though;
you can't create the doppelganger set before you know what's prepended
to it.
The fact that we can have arbitrary content adapted to allows for a
critical expansion of the applied risks (i.e. we wouldn't be seeing
colliding certs w/o it). I don't think it's fair to say my attacks --
in some vague, general sense -- are "wrong", given what was at best a
small difference in interpretation.
The x.509 cert collision is a necessary consequence of the earlier
discussed prime/not-prime collision. Take the previous concept, make
both prime, and surround with the frame of an x.509 cert, and you get
the new paper. Still nice to see...Rescorla specifically thought it
wasn't possible. I look forward to actually having the code to work on
this myself.
--Dan
Ben Laurie wrote:
> Cute. I expect we'll see more of this kind of thing.
>
> http://eprint.iacr.org/2005/067
>
> Executive summary: calculate chaining values (called IV in the paper)
> of first part of the CERT, find a colliding block for those chaining
> values, generate an RSA key that has the collision as the first part
> of its public key, profit.
>
> BTW, reading this made me notice that Dan Kaminsky's attacks are wrong
> in detail, if not in essence. Because the output of the MD5 block
> function depends on the chaining values from previous blocks, it is
> not the case that you can prepend arbitrary material to your colliding
> block, as he claims. However, you can (according to the paper above)
> generate collisions with any IV, so if you know what the prepended
> material is, then Kaminsky's attack will still work.
>
> Cheers,
>
> Ben.
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com