Re: On the topic of SSL and MD5 (was Re: [NSE])

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 13 Jan 2009 00:13:33 +0100
Daniel Roethlisberger <daniel () roe ch> wrote:

...snip...
> While I agree with most of your conclusions, your use of the
> specific crypto terms below is incorrect:
...snip...
> What you actually meant are ``chosen-prefix collisions''.  In a
> collision attack, the attacker will always generate two
> to-be-signed parts with identical hash value (but not a
> predetermined hash value).  Very important difference.

Your right and I should have prefaced the whole thing with IANAC.  I
forgot that a second-preimage is a collision attack where the first
message is fixed.  Choosing a prefix and finding a collision is just as
you described, a "chosen-prefix collision".

You are also correct in that a true second-preimage attack would skip
over all the issues.  When I said first-preimage would skip over all
the current issues, I was thinking of finding a *different* cert with
the same hash -- which is, as you pointed out, really just a
second-preimage attack and a first-preimage attack doesn't apply to SSL
in this context.

> However, also consider that we need to phase out most/all
> legitimate MD5-signed certificates before we can configure our
> browsers to not trust a certificate if the chain includes
> MD5-signed intermediate certs or it is itself MD5-signed.

Good point.  I mentioned this in my reply to MadHat.  Admins need to do
their part to eliminate legitimately MD5-signed SSL certs before we can
start finding the ones illegitimately signed.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAklr0eIACgkQqaGPzAsl94K+UACgqZVv7KXvkomL9hqshjGm/qMd
Y+4Ani+q6U5RZIlCykyg0f//9JAx0+Nt
=rz1Q
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org