[17029] in cryptography@c2.net mail archive
Re: MD5 collision in X509 certificates
daemon@ATHENA.MIT.EDU (Bill Frantz)
Mon Mar 7 11:24:46 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 6 Mar 2005 21:06:02 -0800
From: Bill Frantz <frantz@pwpconsult.com>
To: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <4229DCEF.8070301@garlic.com>
On 3/5/05, lynn@garlic.com (Anne & Lynn Wheeler) wrote:
>The implication is that if i can substitute a public key in some=20
>certificate that attests to represent some other party .... then it may=20
>be some form of identity theft (fraudulent messages can be created that=20
>otherwise appear to have originated from you ... and validate with the=20
>substituted public key). The other might be elevation of privileges ....=
=20
>adding characteristics to a certificate that were otherwise not provided.
The real concern, and there is no evidence that it is easy, is that if a ce=
rtificate is signed using a MD5 hash, and another certificate, with a diffe=
rent (RSA) public key, can be substituted, maintaining the signature, then =
it will be probable that the new public key will be the product of many pri=
mes, and (relatively) easy to factor. If this were possible, it would lead=
to identity theft.
While this scenario is not, as far as I know, easy, it seems to me that it =
is time to abandon MD5 in signatures. The issues with SHA1 are worrisome, =
but not yet, IMHO, fatal. However, it would be prudent to plan on moving b=
eyond SHA1 in the near future.
All IMHO.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | The first thing you need when | Periwinkle=20
(408)356-8506 | using a perimeter defense is a | 16345 Englewood Ave
www.pwpconsult.com | perimeter. | Los Gatos, CA 95032
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com