[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] X.509 certificate collision, via MD5 collisions

To: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Subject: Re: [saag] X.509 certificate collision, via MD5 collisions
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Mon, 07 Mar 2005 15:50:13 +0100
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Bull SA.
References: <008a01c5231a$980c6c40$dc6b8640@xxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0


Santosh,

Denis,

But, that alone will not support NR in case of the Lenstra attack since cert
hash, issuer, and serial will be all the same.

But the collision is on the *content* of the certificate computed using MD5while ESSCertID requires the use of SHA-1 to compute a hash over the*entire* certificate.


This solves the issue.

Denis

I think NR claim ties to showing Lenstra paper and then showing that forcing
the subscriber to show the primes or private key to show that one of the
primes for a 2048 modulus is only 512 bits (should be around 1024 bits).

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Denis Pinkas
Sent: Monday, March 07, 2005 3:36 AM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: Re: [saag] X.509 certificate collision, via MD5 collisions



Santosh,
Some of us have suggested that the Lenstra attack does not breaknon-repudiation. I would like to add another evidence for NR.
If there is a dispute between the signer and the relying party and thesigner (or CA) and the relying party produce two certificatesresulting in the same hash,
When RFC 3126 is used, then ESSCertID MUST be used as a signed attributewhich means that not only there MUST be the same hash value but also thesame CA DN and the same serial number.
    ESSCertID ::=  SEQUENCE {
         certHash                 Hash,
         issuerSerial             IssuerSerial OPTIONAL
    }

    Hash ::= OCTET STRING -- SHA1 hash of entire certificate

    IssuerSerial ::= SEQUENCE {
         issuer                   GeneralNames,
         serialNumber             CertificateSerialNumber
    }

Denis
signer could be required to produce further evidence for the moduliiand one would notice that one of the factors is 512 bits for 2048modulus, something FIPS does not recommend. That would be viewed asadditional evidence of mischief by the subscriber.
Santosh Chokhani
Orion Security Solutions, Inc.
1489 Chain Bridge Road, Suite 300
McLean, Virginia 22101
(703) 917-0060  Ext. 35 (voice)
(703) 917-0260 (Fax)
chokhani@xxxxxxxxxxxx
Visit our Web site
http://www.orionsec.com

Follow-Ups:
- RE: [saag] X.509 certificate collision, via MD5 collisions
  - From: Santosh Chokhani

References:
- RE: [saag] X.509 certificate collision, via MD5 collisions
  - From: Santosh Chokhani

Prev by Date: Re: Comments to SCVP ID 17
Next by Date: RE: [saag] X.509 certificate collision, via MD5 collisions
Previous by thread: RE: [saag] X.509 certificate collision, via MD5 collisions
Next by thread: RE: [saag] X.509 certificate collision, via MD5 collisions
Index(es):
- Date
- Thread