On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams <n...@cryptonector.com> wrote: > On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer <f...@deneb.enyo.de> wrote: >> * Marsh Ray: >> >>> Marc Stevens and B.M.M. de Weger (of >>> http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the >>> collision in the evil CN=MS cert. I'm sure they'll have a full report >>> at some point. Until then, they have said this: >> >>>> [We] have confirmed that flame uses a yet unknown md5 chosen-prefix >>>> collision attack. >> >> Does this mean they've seen the original certificate in addition to >> the evil twin? > > The evil twin has the nasty bits[*] in the issuerUniqueID field, which > is weird, and the ID is not one likely to be generated by any CA. > Would the original have it?? I don't see why the TS CA would have > issued certs with issuerUniqueIDs under any circumstances, which is > why it's interesting the the evil twin had any evil bits.
Surely the whole point is that the collision is used to switch <something> to issuerUniqueID in order to hide the stuff that would've stopped the cert from working. I haven't looked, but I'm prepared to bet it would not be hard to figure out what the original cert must have looked like. Has anyone got the evil cert as a binary? I could probably reconstruct it from the bazillion dumps out there, but I can't be bothered. > > [*] Marsh calls these bits a "tumor". I don't think there's a good > analogy in biology, but for my money the analogy that comes closest is > "prion" (misfolded proteins, which in the most well-known case beget > more protein misfolding, which is why prions are not a perfect analog > for these evil bits). > > Nico > -- > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography