RE: public-key: the wrong model for email?

2004-09-16 Thread Weger, B.M.M. de
Hi Ed, What about ID-based crypto: the public key can be any string, such as your e-mail address. So the sender can encrypt even before the recipient has a key pair. The private key is derived from the public key by a trusted party when the recipient asks for it. Yes, the recipient does have some

Colliding X.509 Certificates

2005-03-03 Thread Weger, B.M.M. de
Hi all, We announce the construction of two different valid X.509 certificates that have identical signatures. This is based on MD5 collisions. One could e.g. construct the to-be-signed parts of the certificates, and get the one certificate signed by a CA. Then a valid signature for the other

RE: Colliding X.509 Certificates

2005-03-13 Thread Weger, B.M.M. de
To: Olle Mulmo Cc: Weger, B.M.M. de; cryptography@metzdowd.com Subject: Re: Colliding X.509 Certificates Olle Mulmo wrote: Seems to me that a CA can nullify this attack by choosing a serial number or RDN component (after all, a CA should vet the DN and not simply sign what's in the PKCS#10

RE: Colliding X.509 Certificates

2005-03-15 Thread Weger, B.M.M. de
Hi Joerg, My concern is not MD5, its SHA-1. I don't see that we can get rid of SHA-1 in certificates in the next 5 years: * None of the alternatives is widely implemented today. * For controlled environments like in-house applications you might be able to switch earlier (0-2 years). * In

Anti-colliding certificates

2005-05-21 Thread Weger, B.M.M. de
Hi All, It's nice to see that my message on anti-colliding certificates finally got through. To fully appreciate its contents you should set back your internal clock to the date the message was originally sent. Grtz, Benne de Weger

RE: Collisions for hash functions: how to exlain them to your boss

2005-06-13 Thread Weger, B.M.M. de
Hi Eric, Technically speaking you're correct, they're signing a program. But most people, certainly non-techies like Alice's boss, view postscript (or MS Word, or name your favourite document format that allows macros) files not as programs but as static data. In being targeted at non-techies I

RE: Nonrepudiation - in some sense

2006-02-11 Thread Weger, B.M.M. de
Hi all, server, and re-encrypting the information. Moreover, it maintains the non-repudiation of transactions since the encrypted communication is between client and application with no proxy acting as middleman. Firstly, even if you believe that _any_ crypto provides

MD5 collisions in one minute

2006-03-17 Thread Weger, B.M.M. de
Hi all, You might be interested in knowing that my MSc student Marc Stevens has found a considerable speedup of MD5 collision generation. His improvements of Wang's method enables one to make MD5 collisions typically in one minute on a PC; sometimes it takes a few minutes, and sometimes only a

SHA1 coll

2006-04-01 Thread Weger, B.M.M. de
Hi All, The following two byte-strings (differing in a few bits only): 59 6F 75 20 61 72 65 20 41 70 72 69 6C 20 46 6F 6F 6C 20 6E 6F 2E 20 30 30 36 39 30 30 32 35 31 33 31 00 and 59 6F 75 20 61 72 65 20 41 70 72 69 6C 20 46 6F 6F 6C 20 6E 6F 2E 20 31 37 38 36 37 33 32 39 32 31 39 00 both have

RE: [Cfrg] Applications of target collisions: Pre or post-dating MD5-based RFC 3161 time-stamp tokens

2006-10-26 Thread Weger, B.M.M. de
Hi Steven, So how close are we getting to first or second preimage attacks? As far as we know, not one bit closer. Best known attack on MD5 preimage resistance still is brute force. You may interpret our result as enlarging the applicability of collision attacks. In that sense the gap to

RE: PlayStation 3 predicts next US president

2007-12-02 Thread Weger, B.M.M. de
Hi William, ... We say so on the website. We did show this hiding of collisions for other data formats, such as X.509 certificates More interesting. Where on your web site? I've long abhorred the X.509 format, and was a supporter of a more clean alternative. See

RSA modulus record

2008-09-16 Thread Weger, B.M.M. de
Hi, There's a new biggest known RSA modulus. It is (in hexadecimal notation): FF...(total of 9289166 F's)...FFDFF...(total of 1488985 F's)...FF800...(total of 9289165 0's)...001 It is guaranteed to be the product of two different large primes, and it has more than 80 million bits. Impressive

Short announcement: MD5 considered harmful today - Creating a rogue CA certificate

2008-12-30 Thread Weger, B.M.M. de
Hi all, Today, 30 December 2008, at the 25th Annual Chaos Communication Congress in Berlin, we announced that we are currently in possession of a rogue Certification Authority certificate. This certificate will be accepted as valid and trusted by all common browsers, because it appears to be

RE: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-11 Thread Weger, B.M.M. de
Hi Victor, Bottom line, anyone fielding a SHA-2 cert today is not going to be happy with their costly pile of bits. Will this situation have changed by the end of 2010 (that's next year, by the way), when everybody who takes NIST seriously will have to switch to SHA-2? The first weakness

RE: Property RIghts in Keys

2009-02-13 Thread Weger, B.M.M. de
Hi all, Say I have discovered a marvelous method of easily factoring RSA keys, which unfortunately the margin of this emacs buffer is too small to contain, and I then go out, factor GeoTrust's CA key and issue a new certificate. Questions: Am I now infringing on GeoTrust's IP rights?

RE: HSM outage causes root CA key loss

2009-07-14 Thread Weger, B.M.M. de
Hi, reports that the PKI for their electronic health card has just run into trouble: they were storing the root CA key in an HSM, which failed. They now have a PKI with no CA key for signing new certs or revoking existing ones. Suppose this happens in a production environment of some CA

RE: HSM outage causes root CA key loss

2009-07-15 Thread Weger, B.M.M. de
Hi, Our current Server CA certificate will expire in 2026 (when hopefully it won't be my problem!). Thus the universal CA root cert lifetime policy, the lifetime of a CA root certificate is the time till retirement of the person in charge at its creation, plus five years :-). This neglects the