[Help-gnutls] Re: target collisions and colliding certificates with diff

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: target collisions and colliding certificates with diff

From:	Simon Josefsson
Subject:	[Help-gnutls] Re: target collisions and colliding certificates with different identities
Date:	Tue, 24 Oct 2006 08:34:46 +0200
User-agent:	Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)

All,

You may have seen the post below about colliding X.509 certificates
with different identities.

GnuTLS since 1.2.9 is not vulnerable to this problem, since we have
disabled the use of RSA-MD5 for verifying X.509 signatures.

Below is how to test this for yourself.

/Simon

address@hidden:~$ wget -q 
http://www.win.tue.nl/~bdeweger/CollidingCertificates/MD5CollisionCA.cer 
http://www.win.tue.nl/hashclash/TargetCollidingCertificates/TargetCollidingCertificate1.cer
 
http://www.win.tue.nl/hashclash/TargetCollidingCertificates/TargetCollidingCertificate2.cer
address@hidden:~$ certtool --inder -i < MD5CollisionCA.cer > ca.pem
Warning: certificate uses a broken signature algorithm that can be forged.
address@hidden:~$ certtool --inder -i < TargetCollidingCertificate1.cer > 
client1.pem
Warning: certificate uses a broken signature algorithm that can be forged.
address@hidden:~$ certtool --inder -i < TargetCollidingCertificate2.cer > 
client2.pem
Warning: certificate uses a broken signature algorithm that can be forged.
address@hidden:~$ cat client1.pem ca.pem > chain1.pem
address@hidden:~$ cat client2.pem ca.pem > chain2.pem
address@hidden:~$ certtool -e < chain1.pem
Certificate[0]: CN=Arjen K. Lenstra,O=Collisionairs,L=Eindhoven,C=NL
        Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL
        Verifying against certificate[1].
        Verification output: Not verified, Insecure algorithm.

Certificate[1]: CN=Hash Collision CA,L=Eindhoven,C=NL
        Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL
        Verification output: Verified.

address@hidden:~$ certtool -e < chain2.pem
Certificate[0]: CN=Marc Stevens,O=Collision Factory,L=Eindhoven,C=NL
        Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL
        Verifying against certificate[1].
        Verification output: Not verified, Insecure algorithm.

Certificate[1]: CN=Hash Collision CA,L=Eindhoven,C=NL
        Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL
        Verification output: Verified.

address@hidden:~$

"Weger, B.M.M. de" <address@hidden> writes:

> Hi all,
>
> We announce:
> - an example of a target collision for MD5; this means: 
>   for two chosen messages m1 and m2 we have constructed 
>   appendages b1 and b2 to make the messages collide 
>   under MD5, i.e. MD5(m1||b1) = MD5(m2||b2);
>   said differently: we can cause an MD5 collision for 
>   any pair of distinct IHVs;
> - an example of a pair of valid, unsuspicious X.509 
>   certificates with distinct Distinguished Name fields, 
>   but identical CA signatures; this example makes use 
>   of the target collision.
>
> See http://www.win.tue.nl/hashclash/TargetCollidingCertificates/,
> where the certificates and a more detailed announcement 
> can be found.
>
> Marc Stevens
> Arjen Lenstra
> Benne de Weger

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnutls] Re: target collisions and colliding certificates with different identities, Simon Josefsson <=

Prev by Date: [Help-gnutls] Generating an RSA key
Next by Date: [Help-gnutls] OpenCDK 0.5.11
Previous by thread: [Help-gnutls] Generating an RSA key
Next by thread: [Help-gnutls] OpenCDK 0.5.11
Index(es):
- Date
- Thread