MD5 collision in X509 certificates
Bill Frantz
frantz at pwpconsult.com
Mon Mar 7 00:06:02 EST 2005
On 3/5/05, lynn at garlic.com (Anne & Lynn Wheeler) wrote:
>The implication is that if i can substitute a public key in some
>certificate that attests to represent some other party .... then it may
>be some form of identity theft (fraudulent messages can be created that
>otherwise appear to have originated from you ... and validate with the
>substituted public key). The other might be elevation of privileges ....
>adding characteristics to a certificate that were otherwise not provided.
The real concern, and there is no evidence that it is easy, is that if a certificate is signed using a MD5 hash, and another certificate, with a different (RSA) public key, can be substituted, maintaining the signature, then it will be probable that the new public key will be the product of many primes, and (relatively) easy to factor. If this were possible, it would lead to identity theft.
While this scenario is not, as far as I know, easy, it seems to me that it is time to abandon MD5 in signatures. The issues with SHA1 are worrisome, but not yet, IMHO, fatal. However, it would be prudent to plan on moving beyond SHA1 in the near future.
All IMHO.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | The first thing you need when | Periwinkle
(408)356-8506 | using a perimeter defense is a | 16345 Englewood Ave
www.pwpconsult.com | perimeter. | Los Gatos, CA 95032
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list