PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

x509 certs and SHA1 collisions.

From: danny at dannysplace.net (Danny Carroll)
Date: Wed, 18 Feb 2009 12:56:44 +1000
Hello all,

Someone asked me why the sky is not falling since SHA1 is not so robust
anymore.

I had to think about how x509 and cert signing works and here is what I
came up with.  Just thought I'd run it by here to see if I got it right.
 I could be *way* off since it's been a long time since I looked into
this stuff.

What happens with x509 certs and SSL:
Certificate *request* created with a public and private key by the
server admin.

Public key used to encrypt traffic sent to the server and decrypt
traffic from the server.

Private key used to decrypt traffic from client and sign data so that
the client know it was not tampered with along the way (authentic).
IOW, signing is encryption that is NOT Private, since the key is known
to all.

Public key sent to CA to sign.  Private key kept secret.

CA Verifies details and then creates the the certificate.
It adds:
   x509 constraints (can it be a CA?)
   x509 usage details (For Web, email etc?)
   x509 CRL location.
   other stuff like the cert chain.  (Browser uses this to verify there
is someone it trusts in the chain).

CA then creates a hash of the cert.
It then signs the HASH with it's private key.  This signature can be
decrypted, again with the CA's public key.  Then the original
certificate can be hashed by client to verify that it is the authentic.

If you can make a hash collision, then you can basically take a valid CA
signature, and package it in a cert that you want.  So you have created
an identity for yourself.

Of course then you have the SSL part of the story where the client and
server exchange encryption information using the servers public key to
create a secure encryption channel.

I am wondering, have I got the details about the hash collision and it's
consequences right?  Assuming it were possible for a collision to be
detected easily (say, in minutes, which is currently far from possible),
is there any way the SSL privacy could be compromised?  I don't see how
it could be.

-D
Previous By Date Next
Previous By Thread Next

Current thread: