Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities
نویسندگان
چکیده
We have shown how, at a cost of about 2 calls to the MD5 compression function, for any two target messages m1 and m2, values b1 and b2 can be constructed such that the concatenated values m1‖b1 and m2‖b2 collide under MD5. Although the practical attack potential of this construction of target collisions is limited, it is of greater concern than random collisions for MD5. In this note we sketch our construction. To illustrate its practicality, we present two MD5 based X.509 certificates with identical signatures but different public keys and different Distinguished Name fields, whereas our previous construction of colliding X.509 certificates required identical name fields. We speculate on other possibilities for abusing target collisions.
منابع مشابه
Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities
We present a novel, automated way to find differential paths for MD5. As an application we have shown how, at an approximate expected cost of 2 calls to the MD5 compression function, for any two chosen message prefixes P and P ′, suffixes S and S′ can be constructed such that the concatenated values P‖S and P ′‖S′ collide under MD5. Although the practical attack potential of this construction o...
متن کاملLecture Notes in Computer Science 4515
We present a novel, automated way to find differential paths for MD5. As an application we have shown how, at an approximate expected cost of 2 calls to the MD5 compression function, for any two chosen message prefixes P and P ′, suffixes S and S′ can be constructed such that the concatenated values P‖S and P ′‖S′ collide under MD5. Although the practical attack potential of this construction o...
متن کاملColliding X.509 Certificates
With this construction we show that MD5 collisions can be crafted easily in such a way that the principles underlying the trust in Public Key Infrastructure are violated. In particular we find it worrying that from one certificate alone it cannot be determined whether another, different certificate may exist with the same signature. For the second certificate the issuing Certification Authority...
متن کاملChosen-prefix collisions for MD5 and applications
We present a novel, automated way to find differential paths for MD5. As an application we have shown how, at an approximate expected cost of 2 calls to the MD5 compression function, for any two chosen message prefixes P and P ′, suffixes S and S′ can be constructed such that the concatenated values P‖S and P ′‖S′ collide under MD5. The practical attack potential of this construction of chosen-...
متن کاملOn the possibility of constructing meaningful hash collisions for public keys full version, with an appendix on colliding X.509 certificates
It is sometimes argued (as in [6]) that finding meaningful hash collisions might prove difficult. We show that at least one of the arguments involved is wrong, by showing that for several common public key systems it is easy to construct pairs of meaningful and secure public key data that either collide or share other characteristics with the hash collisions as quickly constructed in [22]. We p...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2006 شماره
صفحات -
تاریخ انتشار 2006