2012/6/11 Ben Laurie <[email protected]> > On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams <[email protected]> > wrote: > > On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer <[email protected]> > wrote: > >> * Marsh Ray: > >> > >>> Marc Stevens and B.M.M. de Weger (of > >>> http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the > >>> collision in the evil CN=MS cert. I'm sure they'll have a full report > >>> at some point. Until then, they have said this: > >> > >>>> [We] have confirmed that flame uses a yet unknown md5 chosen-prefix > >>>> collision attack. > >> > >> Does this mean they've seen the original certificate in addition to > >> the evil twin? > > > > The evil twin has the nasty bits[*] in the issuerUniqueID field, which > > is weird, and the ID is not one likely to be generated by any CA. > > Would the original have it?? I don't see why the TS CA would have > > issued certs with issuerUniqueIDs under any circumstances, which is > > why it's interesting the the evil twin had any evil bits. > > Surely the whole point is that the collision is used to switch > <something> to issuerUniqueID in order to hide the stuff that would've > stopped the cert from working. I haven't looked, but I'm prepared to > bet it would not be hard to figure out what the original cert must > have looked like. > > Has anyone got the evil cert as a binary? I could probably reconstruct > it from the bazillion dumps out there, but I can't be bothered. > > Based on dumps found "ici et là", the issuerUniqueID is filled with extensions, and one of them is a Microsoft proprietary (1.3.6.1.4.1.311.18.xxx) and set critical. This extension itself prevents the certificate to be used on post-Vista machines. The others are CRLDP, EKU, maybe other things. This is obviously the result of the chosen-prefix attack (just like it was demonstrated with MD5 Rogue CA).
The resulting evil certificate has no extension at all. Paper by Marc Stevens ( http://www.cwi.nl/system/files/PhD-Thesis-Marc-Stevens-Attacks-on-Hash-Functions-and-Applications.pdf) presents a detection method for a chosen-prefix attack using only one of the message pair. -- Erwann.
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
