How thorough are the hash breaks, anyway?
Hal Finney
hal at finney.org
Tue Aug 31 14:50:23 EDT 2004
Dan Carosone wrote:
> There is one application of hashes, however, that fits these
> limitations very closely and has me particularly worried:
> certificates. The public key data is public, and it's a "random"
> bitpattern where nobody would ever notice a few different bits.
>
> If someone finds a collision for microsoft's windows update cert (or a
> number of other possibilities), and the fan is well and truly buried
> in it.
A more likely attack along these lines would be to create two certificates
which collided and had identical keys but different identification
information or other attributes. If you could create a situation
where a cert on "microsoft.com" collided with one on "jf8l23fzq.com",
you could easily get the second one certified, and the signature on
it would also validate when you substituted microsoft.com. Presto,
you could successfully masquerade as Microsoft.
This is a collision attack rather than a second preimage attack as you
propose and so should be far easier to mount.
The attack requires being able to predict the exact form of the cert,
including validity dates and serial number. The latter is chosen by
the CA and depending on its policies, may be easy or hard to predict.
The name "serial number" suggests a degree of sequentiality and some
CAs may follow such a policy, which could allow a motivated attacker to
predict the value with considerable accuracy.
Hal Finney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list