MD5 collision in X509 certificates

Ben Laurie ben at algroup.co.uk
Wed Mar 2 07:35:50 EST 2005


Cute. I expect we'll see more of this kind of thing.

http://eprint.iacr.org/2005/067

Executive summary: calculate chaining values (called IV in the paper) of 
first part of the CERT, find a colliding block for those chaining 
values, generate an RSA key that has the collision as the first part of 
its public key, profit.

BTW, reading this made me notice that Dan Kaminsky's attacks are wrong 
in detail, if not in essence. Because the output of the MD5 block 
function depends on the chaining values from previous blocks, it is not 
the case that you can prepend arbitrary material to your colliding 
block, as he claims. However, you can (according to the paper above) 
generate collisions with any IV, so if you know what the prepended 
material is, then Kaminsky's attack will still work.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list