Alun
Mon Mar 21 10:31:09 CST 2005
...and this would only work if you could sign certificates as a trusted CA -
most users don't go around installing random CAs as Trusted, they stay with
the ones listed in the Windows installation, so even there, you'd have to
subvert a CA, or persuade the user to install a new CA certificate. CA
certificates should be locked up tighter than a drum, so subverting them
should be next to impossible.
Alun.
~~~~
--
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.
"William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message
news:Ou8K1yLLFHA.1176@TK2MSFTNGP15.phx.gbl...
> Agreed. It would seem easier to spoof the DNS and create your own MITM
> cert
> verifier service. Hand out your own certs and redirect any trust chain
> requests to your own service. Naturally, this could only work with
> clients
> within your own LAN.
>
> --
> William Stacey, MVP
>
http://mvp.support.microsoft.com
>
> "Alun Jones [MSFT]" <alunj@online.microsoft.com> wrote in message
> news:#e1YDgKLFHA.2648@TK2MSFTNGP14.phx.gbl...
>> Note, too, that this is about creating two certificates with identical
>> information and signatures, but with different keys.
>>
>> You can already create two certificates with identical information, but
>> different signatures and keys - you just have to get a CA to sign them.
>> That is not a problem - that there may be two certificates that say
>> "www.example.com" indicates only that one or two people created a
>> certificate request and convinced a CA to grant the certificate.
>> Ideally,
>> of course, the public CAs are going to grant certificates only to those
>> people that can prove that they represent the www.example.com web site.
>>
>> Creating two certificates by the method outlined in the linked paper
>> requires that the two certificates be created as part of a single
> process -
>> rather like creating entwined particles in quanum physics, one alone will
> do
>> you no good, you have to have a pair (or, presumably, a triplet, etc).
> You
>> cannot take an existing certificate and create one that matches it, with
>> a
>> different key (which is what you would have to do to exploit this flaw).
>>
>> If I were to come up with a flaw that exploits this work, I would create
>> a
>> pair of colliding certificates while at a trusted position within the
>> example.com company, submit them for signing and keep one secret. I
>> would
>> then depart the example.com company and use my second certificate on a
> faked
>> website that I then injected somehow between my victims and the real
>> www.example.com website.
>>
>> But wait... I can already do that. I can already create two
>> certificates,
>> get them signed, and keep one secret for my own later use - as long as
>> the
>> CA will let me. I don't need colliding hashes to do that.
>>
>> So, really, where is the attack possibility from this?
>>
>> All that the work on SHA-1 to date has done is to follow the predictable
>> course of a hash function. Any hash function has a limited life-span,
>> and
>> mathematical discoveries such as these are part of what limits that
>> lifespan. If hash functions expired solely due to Moore's law, we'd
> simply
>> add another bit to the hash function every eighteen months, and still use
>> the same function.
>>
>> The really scary prospect with any of these hash functions is that
>> someone
>> will come up with a startling observation, or a new branch of mathematics
>> that turns the number of operations required to break them from 2^N
>> (where
> N
>> is a relatively big number - two or three digits) to just a few hundred -
> or
>> a few thousand. If that ever happens (and you can't predict whether it
> will
>> or not), things get very scary indeed. But even then, you have to create
> a
>> collision that is believable and matches the "hidden hash function" of
> "this
>> document has this structure". The more structure that is in the document
>> you sign, the harder it is to find a collision of the explicit hash and
> the
>> hidden hash (unless the hidden hash and the explicit hash accidentally
>> interfere to weaken each other - a structure, for example, that has a
> large
>> amount of space that you can fill with random data).
>>
>> Alun.
>> ~~~~
>> --
>> Software Design Engineer, Internet Information Server (FTP)
>> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>>
>> "Paul Adare" <padare@newsguy.com> wrote in message
>> news:MPG.1ca5b50361930c12989c21@msnews.microsoft.com...
>> > In article <eH14jEGLFHA.3340@TK2MSFTNGP14.phx.gbl>, in the
>> > microsoft.public.security news group, Matt Gibson
>> > <mattg@blueedgetech.ca> says...
>> >
>> >> Yes there ARE a pair of different certs with identical hashes.
>> >>
>> >
>> > "this does not constitute a realistic
>> > vulnerability, as far as we know."
>> >
>> > As I said, FUD.
>> >
>> > --
>> > Paul Adare
>> > "On two occasions, I have been asked [by members of Parliament],
>> > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
>> > will the right answers come out?' I am not able to rightly apprehend
>> > the kind of confusion of ideas that could provoke such a question."
>> > -- Charles Babbage (1791-1871)
>>
>>
>