ietf-smime
[Top] [All Lists]

Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

2008-12-30 18:55:12

--On Tuesday, December 30, 2008 06:28:07 PM -0500 Santosh Chokhani <SChokhani(_at_)cygnacom(_dot_)com> wrote:

Since the attack is computing pre-image, I suspect that past MD5
certificates are safe until the attack was devised.

The attack does _not_ involve computing a preimage; it involves computing a colliding pair one of which has a prefix which is predictable but not controllable, followed by a controllable component consisting of some minimum number of bits followed by at least three aligned message blocks. What makes existing certificates safe is that there are no known preimage attacks against MD5, couple with limitations of the technique used to construct the colliding pair.

However, there is a limit to how "safe" existing certificates are, because the attack does not require anything that was not known 3-4 years ago. The only change is that with the latest techniques for computing collisions, it is possible to do so in a short enough time to be able to predict the validity and serial number that will be used by the issuer with fairly high probability.

-- Jeff

<Prev in Thread] Current Thread [Next in Thread>