ietf-smime
[Top] [All Lists]

RE: [saag] Further MD5 breaks: Creating a rogue CA certificate

2008-12-31 14:31:17

Just to be precise, past MD5 certificates should be safe as long as
there
are no second-preimage attacks.  I have no idea* whether there are any
computational shortcuts to finding a second preimage (where both the
hashed data and its digest value are known) relative to finding a
preimage
(where only the digest value is known), but in principle second-preimage
attacks might be feasible sooner.

Dave

* for example, http://www.springerlink.com/content/yut517362112765h/
indicates
that 1 in 2^56 messages may be "weak" against a specified attack on MD4.
What is needed is an attack on MD5 where many or all messages are
"weak".


-----Original Message-----
From: owner-ietf-pkix(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-pkix(_at_)mail(_dot_)imc(_dot_)org]
On Behalf Of Jeffrey Hutzelman
Sent: Tuesday, December 30, 2008 6:46 PM
To: Santosh Chokhani; Peter Hesse; RL 'Bob' Morgan; Paul Hoffman
Cc: ietf-pkix(_at_)imc(_dot_)org; ietf-smime(_at_)imc(_dot_)org; 
cfrg(_at_)irtf(_dot_)org; saag(_at_)ietf(_dot_)org;
jhutz(_at_)cmu(_dot_)edu
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate


--On Tuesday, December 30, 2008 06:28:07 PM -0500 Santosh Chokhani 
<SChokhani(_at_)cygnacom(_dot_)com> wrote:

Since the attack is computing pre-image, I suspect that past MD5
certificates are safe until the attack was devised.

The attack does _not_ involve computing a preimage; it involves
computing a 
colliding pair one of which has a prefix which is predictable but not 
controllable, followed by a controllable component consisting of some 
minimum number of bits followed by at least three aligned message
blocks. 
What makes existing certificates safe is that there are no known
preimage 
attacks against MD5, couple with limitations of the technique used to 
construct the colliding pair.

However, there is a limit to how "safe" existing certificates are,
because 
the attack does not require anything that was not known 3-4 years ago.
The 
only change is that with the latest techniques for computing collisions,
it 
is possible to do so in a short enough time to be able to predict the 
validity and serial number that will be used by the issuer with fairly
high 
probability.

-- Jeff

<Prev in Thread] Current Thread [Next in Thread>