Our current Server CA certificate will expire in 2026 (when hopefully it
won't be my problem!).
Thus the universal CA root cert lifetime policy, the lifetime of a CA root
certificate is the time till retirement of the person in charge at its
creation, plus five years :-).
This neglects the
reports that the PKI for their electronic health card has
just run into
trouble: they were storing the root CA key in an HSM, which
failed. They now have a PKI with no CA key for signing new
certs or revoking existing ones.
Suppose this happens in a production environment of some CA
Say I have discovered a marvelous method of easily factoring
RSA keys, which unfortunately the margin of this emacs buffer
is too small to contain, and I then go out, factor GeoTrust's
CA key and issue a new certificate.
Am I now infringing on GeoTrust's IP rights?
Bottom line, anyone fielding a SHA-2 cert today is not going
to be happy with their costly pile of bits.
Will this situation have changed by the end of 2010 (that's
next year, by the way), when everybody who takes NIST seriously
will have to switch to SHA-2? The first weakness
Today, 30 December 2008, at the 25th Annual Chaos Communication Congress in
we announced that we are currently in possession of a rogue Certification
Authority certificate. This certificate will be accepted as valid and trusted
all common browsers, because it appears to be
There's a new biggest known RSA modulus.
It is (in hexadecimal notation):
FF...(total of 9289166 F's)...FFDFF...(total of 1488985
F's)...FF800...(total of 9289165 0's)...001
It is guaranteed to be the product of two different large primes,
and it has more than 80 million bits. Impressive
... We say so on
the website. We did show this hiding of collisions for other data
formats, such as X.509 certificates
More interesting. Where on your web site? I've long abhorred the
X.509 format, and was a supporter of a more clean alternative.
So how close are we getting to first or second preimage attacks?
As far as we know, not one bit closer.
Best known attack on MD5 preimage resistance still is brute force.
You may interpret our result as enlarging the applicability of
collision attacks. In that sense the gap to
The following two byte-strings (differing in a few bits only):
59 6F 75 20 61 72 65 20 41 70 72 69 6C 20 46 6F 6F 6C 20 6E 6F 2E 20 30
30 36 39 30 30 32 35 31 33 31 00
59 6F 75 20 61 72 65 20 41 70 72 69 6C 20 46 6F 6F 6C 20 6E 6F 2E 20 31
37 38 36 37 33 32 39 32 31 39 00
You might be interested in knowing that my MSc student
Marc Stevens has found a considerable speedup of MD5
collision generation. His improvements of Wang's method
enables one to make MD5 collisions typically in one
minute on a PC; sometimes it takes a few minutes, and
sometimes only a
server, and re-encrypting the information. Moreover, it
maintains the non-repudiation of transactions since the
encrypted communication is between client and application with
no proxy acting as middleman.
Firstly, even if you believe that _any_ crypto provides
Technically speaking you're correct, they're signing a program.
But most people, certainly non-techies like Alice's boss,
view postscript (or MS Word, or name your favourite document
format that allows macros) files not as programs but as static
data. In being targeted at non-techies I
It's nice to see that my message on anti-colliding certificates finally
To fully appreciate its contents you should set back your internal clock
to the date the message was originally sent.
Benne de Weger
My concern is not MD5, its SHA-1. I don't see that we can get rid of
SHA-1 in certificates in the next 5 years:
* None of the alternatives is widely implemented today.
* For controlled environments like in-house applications you might be
able to switch earlier (0-2 years).
To: Olle Mulmo
Cc: Weger, B.M.M. de; firstname.lastname@example.org
Subject: Re: Colliding X.509 Certificates
Olle Mulmo wrote:
Seems to me that a CA can nullify this attack by choosing a serial
number or RDN component (after all, a CA should vet the DN and not
simply sign what's in the PKCS#10
We announce the construction of two different valid X.509 certificates
that have identical signatures. This is based on MD5 collisions.
One could e.g. construct the to-be-signed parts of the certificates,
and get the one certificate signed by a CA. Then a valid signature for
What about ID-based crypto: the public key can be any string, such as
your e-mail address. So the sender can encrypt even before the
recipient has a key pair. The private key is derived from the
public key by a trusted party when the recipient asks for it.
Yes, the recipient does have some
Mail list logo