A pair of certificates with the same signature

| Comments (2) | TrackBacks (12) |
Eu-Jin Goh pointed me to this paper by Lenstra, Wang, and de Weger, entitled "Colliding X.509 Certificates". Lenstra et al start with an MD5 collision and the first half of a certificate and generate a pair of RSA public keys that produce the same digest value. This produces a pair of certificates with the same signature. This isn't that surprising a result, since it's implicit in the fact that MD5 has collisions, but it's nicely written up and clearly explained.

From a security perspective, this isn't really so bad, for two reasons:

  1. The attacker doesn't actually control all of the first half of the certificate, so mounting the attack on a real CA is harder.
  2. The only thing that's different between these certificates is the public key. So, if we ignore point (1), an attacker would be able to get a certificate with a public key different from that he gave the CA. This isn't inherently that interesting, but an extension to have other differences besides the public key (e.g., the name) would be quite interesting, although you probably wouldn't be able to really control the name you got.
So, don't panic. The analysis I posted here is still pretty accurate.

You can find the colliding certificates and some more details here.

12 TrackBacks

Listed below are links to blogs that reference this entry: A pair of certificates with the same signature.

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/162

Viagra pill| from Viagra no prescription best prices on October 22, 2005 5:02 PM

Granny mature porno foto Real amature free mpeg Alternative viagra ad Levitra now online levitra canada Read More

Free erotic gay cartoon from Mother and son free sex vidio on November 5, 2005 6:45 AM

Mom and son gallery video Hot sexy mature women videos Girls fucking horse freemovies Animal sex dog blonde free video Read More

A pair of certificates... Read More

Animal pornogallery from Video clips of indian movie artists on December 10, 2005 12:33 PM

Free picturesporninsest Sexy hindi video clips download Zip porn pictures Bbs sex teen ru Read More

poker 878 Read More

pillaged?scaly sensation compressive.substations,buy viagra http://www.ridgeviewelem.org/buy-viagra.html Read More

Sample sex mpgs 100% free sex video downloads Sex clips fucking Sex teen free trailers Read More

Movie downloads lanka Lesbian free sex downloadable windows Insest art porn Download r kelly sex v... Read More

Fat man young teen from Russian sex rape free on December 31, 2005 6:20 PM

Hot hardcore sex clips Free lesbian prison porn Teen animal Horse blowjobbeastgirls Read More

Buy Phentermine Overnight Delivery from Buy Phentermine Overnight Delivery on January 27, 2006 12:29 PM

offers you overnight delivery anywhere in the US Read More

poker casino83 from poker casino83 on February 9, 2006 10:11 PM

poker casino poker 378 Read More

2 Comments

As to your second point, that would be very interesting. Start the MD5 spoofing after the subject public key, but before the SubjectAltName. It would be difficult/impossible to get both a usable new subject name *and* proper ASN.1 structure, however.

The paper mentions that the Wang et al technique for finding MD5 collisions will be published at Eurocrypt this year. Presumably that will be enough information to let us create desktop MD5-collision software, if the authors don't publish their own implementation. Then people can play games with trying to get some kind of semi-reasonable name collisions. Of course I don't imagine Verisign will give you a cert any more that uses an MD5 hash, so you can't create a useful cert collision. These authors made their own "CA" key to issue the certs.

Leave a comment