Colliding X.509 Certificates

Weger, B.M.M. de b.m.m.d.weger at
Tue Mar 1 14:21:37 EST 2005

Hi all,

We announce the construction of two different valid X.509 certificates
that have identical signatures. This is based on MD5 collisions.

One could e.g. construct the to-be-signed parts of the certificates,
and get the one certificate signed by a CA. Then a valid signature for 
the other certificate is obtained, while the CA has not seen proof of 
possession of the private key of this second certificate. 

The certificates we constructed can be downloaded from
>From this site some more technical information can be downloaded as

We provide a short paper explaining in detail our method.
It is available on the website, and on the Cryptology ePrint Archive,

This is joint work with Arjen Lenstra (Lucent Bell Labs and TU
and Xiaoyun Wang (Shandong University).

Benne de Weger

Technische Universiteit Eindhoven 
Coding & Crypto Groep 
Faculteit Wiskunde en Informatica 
Den Dolech 2 
Postbus 513 
5600 MB Eindhoven 
e-mail: b at m@m at d@weger.tue at nl 

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list