Re: [saag] Another bad day at the hash function factory

[Dr Stephen Henson <shenson@xxxxxxxxxxxxxxxxxxxxxxxxxxx>]

Eric Rescorla wrote:

> First, let me say that I'm extremely skeptical of this entire
> line of argument and doubt that it would convince a judge. 
>
> That said, even if I thought you could make a convincing argument
> against non-repudiation based on hash collisions I don't think this
> example shows what you think it shows:
>
> We have available:
>
> * A certificate containing key A (retained by the CA)
> * A certificate containing key B (retained by the relying party)
>
> The CA can demonstrate (to the extent that they can demonstrate
> this at all) that the attesting party obtained certificate A.
>
> It's also easy to verify that certificates A and B have the
> same interior message digest value, so it's clear that something
> is fishy. 
>
> However, it's easy to demonstrate that the cert holder is the one who
> is cheating, because they are the only one who could have generated
> the A,B pair. By assumption, collision attacks are possible but 2nd
> preimages are not, and its undisputed that the cert holder generated
> key A, therefore he must ALSO have generated key B.

I also notice that the examples don't include the subject public key ID 
extension. If the CA used an appropriate recommended algorithm to 
generate SKID then it could demonstrate that the certificate containing 
A contained a consistent SKID whereas the one containing B did not.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@xxxxxxxxxxxxxxxxxxxxx, PGP key: via homepage.