With random serial numbers an adversary does not even need to guess the serial number.
Consider the following attack, the adversary finds a certificate with weak hash algorithm. He adds his host to the SAN field, then he tries to find out a positive serial number up to 20 octets which results in the same hash of the tbsCertificate. Since the serial number octets are random, one cannot find out whether this is a modified certificate or not. Indeed in this case, higher entropy simplifies this attack. Best regards Lijun On Fri, 5 Apr 2019, 17:24 Alex Gaynor <agay...@mozilla.com> wrote: > Hi Lijun, > > Entropy is required in serial numbers to protect against weak hash > functions -- historically exploitation of MD5's weakness was possible > because CAs used sequential serial numbers, thus allowing an attacker to > pre-compute hash prefixes, because they could predict future data that > would be signed's prefix. The exact value of 64 comes out of a Microsoft > Root Program requirement that was later incorporated into the BRs, as I > recall. > > Cheers, > Alex > > On Fri, Apr 5, 2019 at 11:20 AM Lijun Liao via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> In the last days, the issue related to the 63 bit serial number by using >> the default configuration of EJBCA poped up in many forums. >> >> Could someone please explain why the BR requires the minimal entropy to be >> 64 bit? >> >> Best regards >> Lijun >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy