Dan Carosone wrote: > There is one application of hashes, however, that fits these > limitations very closely and has me particularly worried: > certificates. The public key data is public, and it's a "random" > bitpattern where nobody would ever notice a few different bits. > > If someone finds a collision for microsoft's windows update cert (or a > number of other possibilities), and the fan is well and truly buried > in it.
A more likely attack along these lines would be to create two certificates which collided and had identical keys but different identification information or other attributes. If you could create a situation where a cert on "microsoft.com" collided with one on "jf8l23fzq.com", you could easily get the second one certified, and the signature on it would also validate when you substituted microsoft.com. Presto, you could successfully masquerade as Microsoft. This is a collision attack rather than a second preimage attack as you propose and so should be far easier to mount. The attack requires being able to predict the exact form of the cert, including validity dates and serial number. The latter is chosen by the CA and depending on its policies, may be easy or hard to predict. The name "serial number" suggests a degree of sequentiality and some CAs may follow such a policy, which could allow a motivated attacker to predict the value with considerable accuracy. Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]