[17008] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Colliding X.509 Certificates

daemon@ATHENA.MIT.EDU (Joerg Schneider)
Sat Mar 5 10:35:19 2005

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <9F38CF35D80CAE409B979F3EB5242B4A025E1A5B@winex2.campus.tue.nl>
Date: Fri, 4 Mar 2005 13:44:42 +0100 (CET)
From: "Joerg  Schneider" <js@joergschneider.com>
To: "Weger, B.M.M. de" <b.m.m.d.weger@TUE.nl>
Cc: cryptography@metzdowd.com

Benne,

> One could e.g. construct the to-be-signed parts of the certificates,
> and get the one certificate signed by a CA. Then a valid signature for
> the other certificate is obtained, while the CA has not seen proof of
> possession of the private key of this second certificate.

>From the paper I understand that this results in two certificates, which
are identical except for the public key and that the attacker knows the
private keys for both.

Do you think it would be possible to modify the attack, to get different
Subject DNs or SubjectAltNames under the control of the attacker? This
would scare me more.

On a different note:

In a real life scenario a CA would accept PKCS#10 requests, create the TBS
using parts of the requests, providing other parts like notBefore/notAfter
and the serialNumber, and finally sign the result. This would make the
attack more difficult, as the attacker would have to guess, what the CA
makes out of the request, including time of issuance and serialNumber.

Do you think choosing the serialNumber in a way that it cannot be guessed
by the attacker would be an effective way to counter collsion based
attacks on CAs?

Best regards,

Jörg




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post