[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate

To: Paul Hoffman <paul.hoffman@xxxxxxxx>, Yoav Nir <ynir@xxxxxxxxxxxxxx>
Subject: RE: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate
From: "Weger, B.M.M. de" <b.m.m.d.weger@xxxxxx>
Date: Sun, 4 Jan 2009 23:02:36 +0100
Accept-language: nl-NL, en-US
Acceptlanguage: nl-NL, en-US
Cc: "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>, "ietf-smime@xxxxxxx" <ietf-smime@xxxxxxx>, "cfrg@xxxxxxxx" <cfrg@xxxxxxxx>, "saag@xxxxxxxx" <saag@xxxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-id: <ietf-smime.imc.org>
List-unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
References: <495BA5E9.8040305@xxxxxxxxx> <495E3446.4070606@xxxxxxxxxxxxxxx> <230CAA22-D118-4F29-9DC8-32FDCD7D771E@xxxxxxxxxxxxxx> <> <C178CD90-F101-4E52-9C6F-055510471654@xxxxxxxxxxxxxx> <>
Sender: owner-ietf-smime@xxxxxxxxxxxx
Thread-index: AclurK43+Y7mFmYNToKiFNQb0Pgg2QAChf2w
Thread-topic: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate

Hi Paul,

> >>Just to repeat it one more time: #3 does not prevent the 
> published attack.
> >
> >It does if the random fluff is inserted by the CA. The 
> attack depends on their ability to predict the entire TBS part.
> 
> I may have misunderstood the paper, but I think that changes 
> after the subjectPublicKeyInfo do not affect the attack.

Almost correct. A random looking "collision block" has to be inserted
somewhere. We chose to insert it in the public key, as that seems
the most convenient. Somebody else may find another place where
it can be hidden (maybe in a "subject key identifier" field or something,
I don't know what would be feasible). Everything after the "collision
block" must be copied bitwise into the twin certificate, and must be
'harmless' there. If 'random fluff' is inserted by the CA after the
"collision block", this 'random fluff' can be copied into the twin 
certificate as well, retaining the collision property, and this
would indeed be irrelevant to our attack.

> >Also, I've updated today and all the "bad" CAs with MD5 
> signatures are still in the TAS.
> 
> As was pointed out to me earlier: it does not matter if the 
> CA has its cert signed with MD5, only whether that CA *signs* 
> with MD5. RapidSSL, for example, is still signed with MD5 but 
> is now signing with SHA-1.

Correct.

Grtz,
Benne de Weger

Follow-Ups:
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate
  - From: Yoav Nir

References:
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate
  - From: Mike
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate
  - From: Robert Moskowitz
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
  - From: Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
  - From: Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
  - From: Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
  - From: Paul Hoffman

Prev by Date: Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
Next by Date: Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
Previous by thread: Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
Next by thread: Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate
Index(es):
- Date
- Thread