PlayStation 3 predicts next US president
William Allen Simpson
william.allen.simpson at gmail.com
Sun Dec 2 18:08:31 EST 2007
Weger, B.M.M. de wrote:
> See http://www.win.tue.nl/hashclash/TargetCollidingCertificates/
>...
> Our first chosen-prefix collision attack has complexity of about
> 2^50, as described in our EuroCrypt 2007 paper. This has been
> considerably improved since then. In the full paper that is in
> preparation we'll give details of those improvements.
>
Much more interesting. Looks like the death knell of X.509. Why
didn't you say so earlier?
(It's a long known design flaw in X.509 that it doesn't provide
integrity for all its internal fields.)
Where are MD2, MD4, SHA1, and others on this continuum?
And based on the comments in the page above, the prefix is quite large!
Optimally, shouldn't it be <= the internal chaining variables? 512 bits
for MDx. So, the attacks need two values for comparison: the complexity
versus the length of the chosen prefix.
Let me know when you get the chosen prefix down to 64-bits, so I can say
"I told you so" to Bellovin again. I was strongly against adding the
"random" IV field to IPsec....
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list