[Top] [All Lists]

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

2009-01-04 18:42:43

--On Sunday, January 04, 2009 10:23:58 PM +0200 Yoav Nir <ynir(_at_)checkpoint(_dot_)com> wrote:

On Jan 4, 2009, at 9:11 PM, Paul Hoffman wrote:

At 9:02 AM +0200 1/4/09, Yoav Nir wrote:
Best we can do is to get the CAs to

(1) not issue MD5 certs anymore and
(2) randomize the serial number and/or
(3) and a random fluff extension that people are talking about

Just to repeat it one more time: #3 does not prevent the published

It does if the random fluff is inserted by the CA. The attack depends on
their ability to predict the entire TBS part.

No, it does not. It depends on their ability to predict that portion of the TBS part which occurs prior to the computed collision blocks, which in the real certificate occur in the subject public key modulus. The portion of the TBS part which occurs after the collision blocks does not need to be predictable; they just need to be able to copy it as-is, which is done by copying the collision blocks, the rest of the original subject public key modulus, and all of the original certificate's extensions into a netscape comment extension in the forged certificate.

And if Microsoft don't, nobody else will. The Firefox/Opera/Safari/
Chrome people don't want any sites that "only work with Explorer".

At least with respect to Firefox, I think that statement is false.

They've done quite a bit to render broken sites that were made for IE.
Also, I've updated today and all the "bad" CAs with MD5 signatures are
still in the TAS.

Again, there is nothing "bad" about CA certifiates with MD5 signatures. The signature on a root certificate is not used for anything, and in practice is not an accurate predictor of what algorithms that CA uses to sign certificates.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+(_at_)cmu(_dot_)edu>
  Carnegie Mellon University - Pittsburgh, PA

<Prev in Thread] Current Thread [Next in Thread>