[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] Another bad day at the hash function factory

To: "'MW-PKIPrgmCommittee@xxxxxxxxxxxxx'" <MW-PKIPrgmCommittee@xxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: Re: [saag] Another bad day at the hash function factory
From: Eric Norman <ejnorman@xxxxxxxxxxxxx>
Date: Wed, 02 Mar 2005 19:49:03 -0600
In-reply-to: <cfcc3ff8ffef51156958d5734a060853@xxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <20050302205815.GL1938@feynman> <b27ed2d6425ab92655dc9c9df3e0d97e@xxxxxxxxxxxxxxxx> <6.2.0.14.2.20050302165007.0888c820@xxxxxxxxxxxxxxxx> <cfcc3ff8ffef51156958d5734a060853@xxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Here's my take.

Santosh seems to have asked the key question, "what is the threat?"
I think Jean-Marc has come close to answering it.

First of all, it doesn't have anything to do with serial numbers oranything elsein certificates other than public keys. The threat is against thenon-repudiation

support of PKI.  Here's how I would describe a possible attack.

I generate two different bit strings that will cause an MD5 collision.

I set my computers to work for a few hours to turn those bit stringsinto publickeys that will also collide, and I know the associated private keys.Call these

keypair A and keypair B.  This is what's detailed in the paper.

I send public key A off to a certification authority, provide proof ofpossession(private key A), whatever identity information is appropriate, andreceive a

certificate from the CA.

I replace the public key of that certificate with public key B to getcertificate B.Everything in certificate B is identical to what's in certificate Aexcept for thepublic key part. And the signature by the CA in certificate B stillverifies!

I now sign something using private key B and send along certificate Bfor

purposes of verification.

The relying party uses public key B to verify my signature, the relyingparty

relies on that and does whatever.  The relying party can even record the

entire certificate (certificate B) as evidence to be used in case ofrepudiation.

I come along later and claim that I didn't sign that and therefore Idon't owe

the relying party anything, or whatever.

What evidence does the relying party have? He has a recording of apublic

key (B), mathematical evidence that someone knows the associated private

key (B), and a claim that I control private key B. But he doesn't haveproof ofthat binding between claim of identity and keypair; he has to get suchevidence

from the CA that signed the certificate.  So he asks the CA to testify.

What evidence does the CA have?  The CA has evidence that keypair A

belongs to me, but the CA has never seen public key B and has noevidence

about it whatsoever.

The only place evidence about keypair B exists is on my equipment andsinceI'm a very thorough miscreant, I have destroyed it just in case someonecomes

along with a search warrant.

Eric Norman
University of WIsconsin -- DoIT

Follow-Ups:
- Re: [saag] Another bad day at the hash function factory
  - From: Eric Rescorla

Prev by Date: RE: [saag] X.509 certificate collision, via MD5 collisions
Next by Date: Re: [saag] X.509 certificate collision, via MD5 collisions
Previous by thread: X.509 certificate collision, via MD5 collisions
Next by thread: Re: [saag] Another bad day at the hash function factory
Index(es):
- Date
- Thread