[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PKIX implications of SHA-1 collisions

To: ietf-pkix@xxxxxxx
Subject: PKIX implications of SHA-1 collisions
From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Wed, 16 Feb 2005 12:26:47 -0500
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I am sure that almost everyone on this list is already aware of the newsregarding SHA-1. For those who have not, seehttp://www.schneier.com/blog/archives/2005/02/sha1_broken.html

A 2^69 work factor is bad, but not a complete disaster. At least notyet. Of course, as Bruce Schneier has noted, attacks never get worse; theyonly improve.

From the information that we have so far, two messages that havecollisions will have a particular structure. I propose we have a prettyeasy way to make sure that we can avoid that structure in X.509certificates. We can construct the certificate serial number, which isalways part of the first hash block, from a random number in addition toany other CA-specific serial number assignment scheme. For example, theserial number might be a counter concatenated with a 64-bit random value.

I think this can documented very quickly in a BCP. It should just be a fewpages. I am willing to help write it.


Russ

Follow-Ups:
- Re: PKIX implications of SHA-1 collisions
  - From: Peter Gutmann
- Re: PKIX implications of SHA-1 collisions
  - From: Tim Polk

Prev by Date: Re[2]: Question about updating the CA to change its DN encoding
Next by Date: Re: SCVP Draft 17: Summary of changes
Previous by thread: I-D ACTION:draft-ietf-pkix-cmc-trans-03.txt
Next by thread: Re: PKIX implications of SHA-1 collisions
Index(es):
- Date
- Thread