MD5 collision in X509 certificates

Ben Laurie ben at
Wed Mar 2 07:35:50 EST 2005

Cute. I expect we'll see more of this kind of thing.

Executive summary: calculate chaining values (called IV in the paper) of 
first part of the CERT, find a colliding block for those chaining 
values, generate an RSA key that has the collision as the first part of 
its public key, profit.

BTW, reading this made me notice that Dan Kaminsky's attacks are wrong 
in detail, if not in essence. Because the output of the MD5 block 
function depends on the chaining values from previous blocks, it is not 
the case that you can prepend arbitrary material to your colliding 
block, as he claims. However, you can (according to the paper above) 
generate collisions with any IV, so if you know what the prepended 
material is, then Kaminsky's attack will still work.




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list