Hi,
>>Our current Server CA certificate will expire in 2026 (when hopefully it
>>won't be my problem!).
>
>Thus the universal CA root cert lifetime policy, "the lifetime of a CA root
>certificate is the time till retirement of the person in charge at its
>creation, plus five years" :-).
This negl
Hi,
> reports that the PKI for their electronic health card has
> just run into
> trouble: they were storing the root CA key in an HSM, which
> failed. They now have a PKI with no CA key for signing new
> certs or revoking existing ones.
Suppose this happens in a production environment of som
Hi all,
> Say I have discovered a marvelous method of easily factoring
> RSA keys, which unfortunately the margin of this emacs buffer
> is too small to contain, and I then go out, factor GeoTrust's
> CA key and issue a new certificate.
>
> Questions:
>
> Am I now infringing on GeoTrust's IP
Hi Peter,
> I have a general outline of a timeline for adoption of new
> crypto mechanisms
> (e.g. OAEP, PSS, that sort of thing, and not specifically
> algorithms) in my
> Crypto Gardening Guide and Planting Tips,
> http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt,
> see "Question J
Hi Victor,
> Bottom line, anyone fielding a SHA-2 cert today is not going
> to be happy with their costly pile of bits.
Will this situation have changed by the end of 2010 (that's
next year, by the way), when everybody who takes NIST seriously
will have to switch to SHA-2? The first weakness sh
Hi all,
Today, 30 December 2008, at the 25th Annual Chaos Communication Congress in
Berlin,
we announced that we are currently in possession of a rogue Certification
Authority certificate. This certificate will be accepted as valid and trusted
by
all common browsers, because it appears to be si
Hi,
There's a new biggest known RSA modulus.
It is (in hexadecimal notation):
FF...(total of 9289166 F's)...FFDFF...(total of 1488985
F's)...FF800...(total of 9289165 0's)...001
It is guaranteed to be the product of two different large primes,
and it has more than 80 million bits. Impressive se
Hi William,
> > ... We say so on
> > the website. We did show this hiding of collisions for other data
> > formats, such as X.509 certificates
>
> More interesting. Where on your web site? I've long abhorred the
> X.509 format, and was a supporter of a more clean alternative.
See http://www.w
Hi William,
> > The attack was to generate a multitude of predictions for the US
> > election, each of which has the same MD5 hash. If the certifier
> > certifies any one of these predictions, the recipient can use the
> > certificate for any one of these predictions.
> >
> That's a mighty b
Hi all,
We (Marc Stevens, Arjen Lenstra and me) have used a Sony PlayStation 3
to correctly predict the outcome of the 2008 US presidential elections.
See http://www.win.tue.nl/hashclash/Nostradamus if you want to know
the details of what this has to do with cryptography.
We also announce two di
Hi Steven,
> So how close are we getting to first or second preimage attacks?
As far as we know, not one bit closer.
Best known attack on MD5 preimage resistance still is brute force.
You may interpret our result as enlarging the applicability of
collision attacks. In that sense the gap to pr
Hi all,
We announce:
- an example of a target collision for MD5; this means:
for two chosen messages m1 and m2 we have constructed
appendages b1 and b2 to make the messages collide
under MD5, i.e. MD5(m1||b1) = MD5(m2||b2);
said differently: we can cause an MD5 collision for
any pair
Hi All,
The following two byte-strings (differing in a few bits only):
59 6F 75 20 61 72 65 20 41 70 72 69 6C 20 46 6F 6F 6C 20 6E 6F 2E 20 30
30 36 39 30 30 32 35 31 33 31 00
and
59 6F 75 20 61 72 65 20 41 70 72 69 6C 20 46 6F 6F 6C 20 6E 6F 2E 20 31
37 38 36 37 33 32 39 32 31 39 00
both have SHA
Hi all,
You might be interested in knowing that my MSc student
Marc Stevens has found a considerable speedup of MD5
collision generation. His improvements of Wang's method
enables one to make MD5 collisions typically in one
minute on a PC; sometimes it takes a few minutes, and
sometimes only a f
Hi all,
> > server, and re-encrypting the information. Moreover, it
> > maintains the non-repudiation of transactions since the
> > encrypted communication is between client and application with
> > no proxy acting as middleman.
>
> Firstly, even if you believe that _any_ crypto p
Hi Ben,
Looks like this is essentially the same as, or at least very similar to,
what Arjen Lenstra and I did in Section 4 of the full version of our
paper
"On the possibility of constructing meaningful hash collisions for
public keys",
see http://www.win.tue.nl/~bdeweger/CollidingCertificates/dd
Hi Eric,
Technically speaking you're correct, they're signing a program.
But most people, certainly non-techies like Alice's boss,
view postscript (or MS Word, or ) files not as programs but as static
data. In being targeted at non-techies I find this attack more
convincing than those of Mikle a
Hi All,
It's nice to see that my message on anti-colliding certificates finally
got through.
To fully appreciate its contents you should set back your internal clock
to the date the message was originally sent.
Grtz,
Benne de Weger
-
Hi all,
Today I announce the construction of a valid X.509 certificate,
based on the MD5 hash function, that allows two different digital
signatures on the (identical) "to-be-signed" part. This is based
on a new technique of constructing MD5-anti-collisions. For details,
see http://www.win.tue.nl
Hi Joerg,
> My concern is not MD5, its SHA-1. I don't see that we can get rid of
> SHA-1 in certificates in the next 5 years:
> * None of the alternatives is widely implemented today.
> * For controlled environments like in-house applications you might be
> able to switch earlier (0-2 years).
>
[EMAIL PROTECTED]
> Sent: vrijdag 11 maart 2005 11:52
> To: Olle Mulmo
> Cc: Weger, B.M.M. de; cryptography@metzdowd.com
> Subject: Re: Colliding X.509 Certificates
>
> Olle Mulmo wrote:
> > Seems to me that a CA can nullify this attack by choosing a serial
> number or
Hi all,
We announce the construction of two different valid X.509 certificates
that have identical signatures. This is based on MD5 collisions.
One could e.g. construct the to-be-signed parts of the certificates,
and get the one certificate signed by a CA. Then a valid signature for
the other ce
Hi Ed,
What about ID-based crypto: the public key can be any string, such as
your e-mail address. So the sender can encrypt even before the
recipient has a key pair. The private key is derived from the
public key by a trusted party when the recipient asks for it.
Yes, the recipient does have some
23 matches
Mail list logo
