Re: [FoRK] X.509 certificate collision via MD5 collisions (fwd from jeff@k2.com)

["Hal Finney"]

Eugen forwards from FoRK:
> >Colliding X.509 Certificates version 1.0
> >1st March 2005
> >Arjen Lenstra, Xiaoyun Wang, and Benne de Weger
> >
> >http://eprint.iacr.org/2005/067
> >
> >We announce a method for the construction of pairs of valid X.509
> >certificates in which the ?to be signed? parts form a collision for
> >the MD5 hash function. As a result the issuer signatures in the
> >certificates will be the same when the issuer uses MD5 as its hash
> >function.

The real news of the paper was the announcement that Wang's techniques
will be revealed this May at Eurocrypt.  I'm looking forward to finding
out what the secret is!  Presumably everyone will receive MD5 collision
finding software at around that time.

The cert collision is not a surprise, people anticipated this possibility
shortly after the MD5 collisions were announced.  And notice that Xiaoyun
Wang was an author of this paper; she was of course the lead author
on the original MD5 collision paper and presumably the originator of
the technique for finding MD5 collisions.  Using her technology it is
straightforward to do this kind of thing.  But no one else could have
written this paper at this time.

The only nontrivial part (given the remarkable ability to generate MD5
collisions) was arranging that both keys were valid RSA moduli with
known factors.  The did this by generating random bignums and trying to
factor them.

And keep in mind that her methods find random-ish collisions.  They don't
find matches to existing hashes, and (as far as we know) they don't
find structured collisions as would be necessary to get two certs with
different and plausible-sounding names in them.

>From what I've read (mostly http://eprint.iacr.org/2004/264), the way
these collisions are found is to start with analysis of the structure
of the hash, and decide on an XOR difference between the two inputs.
This implicitly makes certain assumptions about where and when carries
and other nonlinearities will occur in the hash calculation.  Then you
do a search for inputs which match that pattern of carries and for
which the pre-determined XOR difference yields an actual collision.
This doesn't give you much ability to control the content of the two
inputs that you create.

Hal

[FoRK] X.509 certificate collision via MD5 collisions (fwd from jeff@k2.com)

[Eugen Leitl]

- Forwarded message from Jeffrey Kay <[EMAIL PROTECTED]> -

From: Jeffrey Kay <[EMAIL PROTECTED]>
Date: Wed, 2 Mar 2005 11:02:42 -0500
To: FoRK Discussion 
Subject: [FoRK] X.509 certificate collision via MD5 collisions
X-Mailer: Apple Mail (2.619.2)

This is a pretty interesting paper -- worth reading.

>Colliding X.509 Certificates version 1.0
>1st March 2005
>Arjen Lenstra, Xiaoyun Wang, and Benne de Weger
>
>http://eprint.iacr.org/2005/067
>
>We announce a method for the construction of pairs of valid X.509 
>certificates in which the ?to be signed? parts form a collision for 
>the MD5 hash function. As a result the issuer signatures in the 
>certificates will be the same when the issuer uses MD5 as its hash 
>function.

It seems that the approach was to generate two RSA moduli that could be 
swapped but still produce the same MD5, hence the same signature.  
Another interesting question is whether, given an arbitrary modulus, 
another can be generated that produces the same MD5.  It almost seems 
like the same problem to me, so I must be missing something here.  The 
attack isn't on the public key itself since the factors necessary to 
generate the private key are still computationally hard to obtain but 
rather on the content of the certificate.  The key assumption is that 
the certificate is signed by a third party signer, which supplies the 
public key for verification.

Even as posed, this is a pretty scary paper.  You could generate a 
certificate with your legitimate content in it (distinguished name, 
etc.), get that signed by a TTP and reuse that signature on another 
certificate with content in it that masqueraded as someone else.  You 
could also conceivable just recode parts of the certificate (such as 
the length of issue) and be safe.  Since you generated the pair of keys 
that causes this to happen, you could masquerade as anyone you wanted 
as long as you got your initial certificate signed.

Pretty interesting attack.  Computationally intense in some areas, but 
definitely a viable attack particularly against downloadable browser 
plug-ins.  It reminds me of when Verisign signed a fraudulent Microsoft 
certificate;  this attack makes that much more possible.  This attack 
could end the usefulness of TTPs in many circumstances.

-- jeff

jeffrey kay
weblog  pgp key  aim 
share files with me -- get shinkuro -- 

"first get your facts, then you can distort them at your leisure" -- 
mark twain
"if the person in the next lane at the stoplight rolls up the window 
and locks the door, support their view of life by snarling at them" -- 
a biker's guide to life
"if A equals success, then the formula is A equals X plus Y plus Z. X 
is work. Y is play. Z is keep your mouth shut." -- albert einstein

___
FoRK mailing list
http://xent.com/mailman/listinfo/fork

- End forwarded message -
-- 
Eugen* Leitl http://leitl.org";>leitl
__
ICBM: 48.07078, 11.61144http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net


pgpdUBg0HVO2f.pgp
Description: PGP signature

Re: MD5 collisions?

[R. A. Hettinga]

--- begin forwarded text


Delivered-To: [EMAIL PROTECTED]
Date: Wed, 18 Aug 2004 13:11:22 +1000
To: Mads Rasmussen <[EMAIL PROTECTED]>
From: Greg Rose <[EMAIL PROTECTED]>
Subject: Re: MD5 collisions?
Cc: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

At 14:12 2004-08-17 -0300, Mads Rasmussen wrote:
>Eric Rescorla wrote:
>
>>Check out this ePrint paper, which claims to have collisions in
>>MD5, MD4, HAVAL, and full RIPEMD.
>>
>>http://eprint.iacr.org/2004/199.pdf
>>
>>The authors claim that the MD5 attack took an hour for the first
>>collision and 15 seconds to 5 minutes for subsequent attacks
>>with the same first 512 bits.
>So what's the status?, the MD5 collisions has been confirmed by Eric
>Rescorla (taken the type into consideration), the MD4  by David Shaw, what
>about Haval and RipeMD?.
>
>I did a test on the RipeMD results and couldn't get the results written.
>Anybody else having the same problems?
>
>Any news on Antoine Joux and his attack on SHA-0? how did he create the
>collision previously announced on sci.crypt?

Eli Biham -- has collisions on 34 (out of 80) rounds of SHA-1, but can
extend that to probably 46. Still nowhere near a break.

Antoine Joux -- his team announced the collision on SHA-0 earlier this
week. There is concentration on the so-called "IF" function in the first 20
rounds... f(a,b,c) = (a & b) ^ (~a & c). That is, the bits of a choose
whether to pass the bits from b, or c, to the result. The technique (and
Eli's) depends on getting a "near collision" in the first block hashed,
then using more near collisions to move the different bits around, finally
using another near collision to converge after the fourth block hashed.
This took 20 days on 160 Itanium processors. It was about 2^50 hash
evaluations.

Xiaoyun Wang was almost unintelligible. But the attack works with "any
initial values", which means that they can take any prefix, and produce
collisions between two different suffixes. The can produce the first
collision for a given initial value in less than an hour, and then can
crank them out at about one every 5 minutes. It seems to be a
straightforward differential cryptanalysis attack, so one wonders why
no-one else came up with it. The attack on Haval takes about 64 tries. On
MD4, about 4 tries. RIPE-MD, about 2 hours (but can improve it).  SHA-0
about 2^40 (1000 times better than Joux).

Xuejia Lai clarified that the paper on E-print has been updated with
correct initial values. They were initially byte-reversed, which they
blamed on Bruce Schneier.

Greg.

>Regards,
>
>Mads Rasmussen
>Open Communications Security
>
>-
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Australia   VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111/232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: MD5 collisions?

[R. A. Hettinga]

At 10:03 PM -0500 8/17/04, Declan McCullagh wrote:

>Sigh. RAH has descended to the level of a net.kook.
>
>Never would have guessed.

You've exactly the same used the same rhetorical device twice now. Are you
just lazy, or, more likely, have you just peaked too soon?

How does it feel to be someone whose best years are a decade behind him,
Declan?

You are *sooo* boring.

RAH


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

"Owning" Ones Own Words, Peaking Too Soon, The Cypherpunk Purity Test, and Bora-Bora (Re: MD5 collisions?)

[R. A. Hettinga]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

At 1:40 AM -0400 8/18/04, Declan McCullagh trots out the Cypherpunk
Purity Test, among other tasty bits of speciousness:


>At 01:02 AM 8/18/2004, J.A. Terranson wrote:
>>Since when is on-topic crossposting an issue here?
>
>Since forever.

To elucidate this a bit, Declan believes in this obscure
WELL.nonsense called "you own your own words". No. Seriously.
*Nobody* can forward *anything* you say, *anywhere* on the net,
without your permission. On the net. Without your permission.

Pardon me. Almost 10 years after I heard of it, my stomach still
hurts from laughing at this ignorant blend of "communitarian"
hippy-logic and 19th century industrial-age legal nostrum. Hint,
Declan: the definition of property, especially digital property in an
age of perfect digital copies on a ubiquitous geodesic :-)
internetwork, is that it's sitting, preferably encrypted, on my hard
drive. The, um, bald, fact is, once it's there, I can send it,
anywhere on the net, whenever I feel like it, without your
"permission".


Declan's actual subtext in this case is that he's written this nice
summary article on ... wait... where do you work this week, Declan?
Time Magazine? No. Not there anymore. Wired, right? No, not there
either. Oh, that's it, CNET. Still there, right? CNET probably can't
hire enough fact-checkers, so you're probably safe there for a while
until the cacophony of protests from your misquoted article subjects
rises above a dull roar. Reminds me of a cartoon in Tom Wolfe's
"Mauve Gloves and Madmen, Currier and Vine" about the Guy Who Peaked
Too Soon.

Anyway, as usual, Declan has, dutifully, one imagines, ground out
something he wants you to read instead of seeing (mostly relevant
:-)) first sources in more or less real-time, on this list where you
read it, instead of interrupting your flow to click around on the web
for it.

This way, though, he "owns" the words, you see. And, obviously, if
you click the link, provided here as a courtesy,
, he
gets paid more money. Sooner or later. Or at least they might pay his
way to more conferences, like they used to during the Clinton
Internet Bubble :-). Maybe. Anyway, maybe if we all click it a lot of
times, Dear Declan might sit down, shut up, and move that sock from
his trousers to his pie-hole.


By the way, the reason I didn't send *that* article to the list, too
- -- before he pissed on my shoes -- is that he whines at you offline
about it. And, before this, I took pity on the once-richer-now-poorer
erst-ink-stained wretch.

Fuck that. I expect to be getting a phone call from CNET's lawyers
for copyright violations under COPA, or whatever, now, as a result,
but what the hell.

>Since before either of us joined the list (and I first started
>reading a decade ago).

Here we go, folks. The ol' cypherpunks purity trick. "My tenure on
these lists longer than yours." Or, "I've been voting libertarian
longer than you have." Or, "I play on Cato's Invisible Foot and you
don't." Or, "I can dry-jack a Mossberg, or Nikon Coolpix, or
whatever, faster than you can." Or whatever. For the record, I've
been here since March or April of 1994. Whatever.

This list, and it's lineal predecessors, is long past the time when
cutting edge cryptography was discussed here for the first time
instead of somewhere else. So, periodically, the tree of cypherpunks
must be watered with the blood of other lists. Or something. :-)



In the meantime, remember that Declan's main purpose here is to sniff
around for stories. Which is fine, until he starts pretending he's
Tim May (I knew Tim May -- he wished I didn't -- and, Mr. McCullagh
you're... Oh, forget it), or, paradoxically for cypherpunks, that he
owns the list somehow, and that, like Mighty Mouse, he's here to save
the day and play list.policeman.

>It's a matter of politeness and degree.

True enough. And, frankly, I've respected both of those in what I've
sent here over the years. The only people who've complained, at least
until I've explained myself to their satisfaction, have been
"professionals" who "owned their own words" and got scooped. If one
can consider forwarding something important from cryptography to this
list to be "scooping" the CNET Political Editor in Chief. Or whatever
they say he is these days.

>A pointer to a discussion archived
>on the web is more useful than dozens of forwarded messages.

>Hey, I have an idea! Why don't I write a script crossposting
>everything from sci.crypt to cypherpunks! How about a few dozen
>other "on-topic" newsgroups and mailing lists too?

Go ahead. Are you going to reformat them for legibility first, if
necessary? Are you going to personally decide, in *your* opinion,
what's worth forwarding and what isn't? Are you going to be topical?
More to the point, Declan, are you going to do it in such a way that
the residents of the list actually *use* in further discussion?

Or are you going to do 

Re: MD5 collisions?

[Declan McCullagh]

At 01:02 AM 8/18/2004, J.A. Terranson wrote:
Since when is on-topic crossposting an issue here?
Since forever. Since before either of us joined the list (and I first 
started reading a decade ago).

It's a matter of politeness and degree. A pointer to a discussion archived 
on the web is more useful than dozens of forwarded messages.

Hey, I have an idea! Why don't I write a script crossposting everything 
from sci.crypt to cypherpunks! How about a few dozen other "on-topic" 
newsgroups and mailing lists too?

-Declan

Re: MD5 collisions?

[J.A. Terranson]

On Tue, 17 Aug 2004, Declan McCullagh wrote:

> Sigh. RAH has descended to the level of a net.kook.
>
> Never would have guessed.
>
> -Declan

Since when is on-topic crossposting an issue here?

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF

  "...justice is a duty towards those whom you love and those whom you do
  not.  And people's rights will not be harmed if the opponent speaks out
  about them."  Osama Bin Laden
- - -

  "There aught to be limits to freedom!"George Bush
- - -

Which one scares you more?

Re: MD5 collisions?

[David Honig]

At 09:04 PM 8/17/04 -0400, R. A. Hettinga wrote:
>At 7:33 PM -0500 8/17/04, Declan McCullagh wrote:
>>One is enough. Less is more. Let's eliminate redundancy, thus eliminating
>>redundancy.

LMAO RAH :-)



=
36 Laurelwood Dr
Irvine CA 92620-1299

VOX: (714) 544-9727 (home) mnemonic: P1G JIG WRAP
VOX: (949) 462-6726 (work -don't leave msgs, I can't pick them up)
   mnemonic: WIZ GOB MRAM
ICBM: -117.7621, 33.7275
HTTP: http://68.5.216.23:81 (back up, but not 99.999% reliable)
PGP PUBLIC KEY: by arrangement

Send plain ASCII text not HTML lest ye be misquoted

--

"Don't 'sir' me, young man, you have no idea who you're dealing with"
Tommy Lee Jones, MIB



No, you're not 'tripping', that is an emu ---Hank R. Hill

Re: MD5 collisions?

[Declan McCullagh]

Sigh. RAH has descended to the level of a net.kook.

Never would have guessed.

-Declan

Re: MD5 collisions?

[R. A. Hettinga]

At 8:58 PM -0500 8/17/04, Declan McCullagh wrote:
>I hadn't noticed. How uncharacteristic of him. Never would have guessed.

...and my mother dresses me funny?

You can do better than that, Declan -- if you do say so yourself.

Self-important git.

-RAH



-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: MD5 collisions?

[Declan McCullagh]

Oh, so it was RAH who was responsible for the repeated random useless
forwards?

I hadn't noticed. How uncharacteristic of him. Never would have guessed.

-Declan



On Tue, Aug 17, 2004 at 09:06:20PM -0400, R. A. Hettinga wrote:
> At 7:33 PM -0500 8/17/04, Declan McCullagh wrote:
> >One is enough. Less is more. Let's eliminate redundancy, thus eliminating
> >redundancy.
> 
> Yawn.
> 
> "Let's" piss up a rope, shall we?
> 
> Cheers,
> RAH
> 
> -- 
> -
> R. A. Hettinga 
> The Internet Bearer Underwriting Corporation 
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: MD5 collisions?

[R. A. Hettinga]

...and another thing...

At 7:33 PM -0500 8/17/04, Declan McCullagh wrote:

>-Declan "TCM" McCullagh

Does this mean you spend all day in a Barcolounger dry-jacking a Mossberg,
muttering about Janet Reno?

;-)

Cheers,
RAH
"Banks in Hong Kong and Shanghai", indeed...

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: MD5 collisions?

[R. A. Hettinga]

At 7:33 PM -0500 8/17/04, Declan McCullagh wrote:
>One is enough. Less is more. Let's eliminate redundancy, thus eliminating
>redundancy.

Yawn.

"Let's" piss up a rope, shall we?

Cheers,
RAH

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: MD5 collisions?

[R. A. Hettinga]

At 7:33 PM -0500 8/17/04, Declan McCullagh wrote:
>One is enough. Less is more. Let's eliminate redundancy, thus eliminating
>redundancy.

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: MD5 collisions?

[Declan McCullagh]

The last eight messages I see on cypherpunks (sorted by date, threaded)
are forwards of messages from Perry's crypto list.

Perry's list is archived publicly on the web if anyone subscribing to
cypherpunks but not his list is interested in the discussion -- so let
me humbly suggest that might be possible not to forward each message.

One is enough. Less is more. Let's eliminate redundancy, thus eliminating
redundancy.

-Declan "TCM" McCullagh



On Tue, Aug 17, 2004 at 03:09:58PM -0400, R. A. Hettinga wrote:
> --- begin forwarded text
> 
> 
> Delivered-To: [EMAIL PROTECTED]
> Date: Tue, 17 Aug 2004 11:10:58 -0400
> From: Thomas Harold <[EMAIL PROTECTED]>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
> Gecko/20040616
> To: [EMAIL PROTECTED]
> Subject: Re: MD5 collisions?
> Sender: [EMAIL PROTECTED]
> 
> Eric Rescorla wrote:
> 
> > Check out this ePrint paper, which claims to have collisions in
> > MD5, MD4, HAVAL, and full RIPEMD.
> >
> > http://eprint.iacr.org/2004/199.pdf
> >
> > The authors claim that the MD5 attack took an hour for the first
> > collision and 15 seconds to 5 minutes for subsequent attacks
> > with the same first 512 bits.
> 
> I'll play the newbie and ask the question... how would this be used in a
> practical attack against MD5 (or the other hashing algorithms)?
> 
>  From my limited understanding, MD5 is usually used as a hash to detect
> tampering in a particular bitstream.  In which case, the attacker's goal
> would be to calculate how to change bits in the bitstream without
> changing the MD5 output.  (And hopefully without making the bitstream a
> different size.)  Is this where collisions come into play?
> 
> Alternatively, hash functions can be used to store passwords (salt +
> plain text password => hash function => password file).  But I don't see
> where the attacker could use collisions for that.
> 
> [Moderator's note:
> 
>  You might want to read up on hash functions and their uses --
>  "detecting tampering" in the sense you mean isn't the main use of
>  hash functions these days though they are certainly employed in such
>  applications. Hash functions are a primitive used in all sorts of
>  places as part of MACs, as ways of enabling signature systems, as
>  elements of commitment protocols etc. The use in commitment protocols
>  is totally blown by the current results, btw.
> 
>  For purposes of things like x.509 certificates, as message integrity
>  codes, etc., the current attacks don't provide an immediate way to
>  attack the system, but they make one worried about the health of the
>  algorithms -- probably sufficiently much to motivate quickly
>  abandoning them for ones that are not vulnerable to these attacks.
> 
>  --Perry]
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
> 
> --- end forwarded text
> 
> 
> -- 
> -
> R. A. Hettinga 
> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: MD5 collisions?

[R. A. Hettinga]

--- begin forwarded text


Delivered-To: [EMAIL PROTECTED]
Date: Tue, 17 Aug 2004 11:10:58 -0400
From: Thomas Harold <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040616
To: [EMAIL PROTECTED]
Subject: Re: MD5 collisions?
Sender: [EMAIL PROTECTED]

Eric Rescorla wrote:

> Check out this ePrint paper, which claims to have collisions in
> MD5, MD4, HAVAL, and full RIPEMD.
>
> http://eprint.iacr.org/2004/199.pdf
>
> The authors claim that the MD5 attack took an hour for the first
> collision and 15 seconds to 5 minutes for subsequent attacks
> with the same first 512 bits.

I'll play the newbie and ask the question... how would this be used in a
practical attack against MD5 (or the other hashing algorithms)?

 From my limited understanding, MD5 is usually used as a hash to detect
tampering in a particular bitstream.  In which case, the attacker's goal
would be to calculate how to change bits in the bitstream without
changing the MD5 output.  (And hopefully without making the bitstream a
different size.)  Is this where collisions come into play?

Alternatively, hash functions can be used to store passwords (salt +
plain text password => hash function => password file).  But I don't see
where the attacker could use collisions for that.

[Moderator's note:

 You might want to read up on hash functions and their uses --
 "detecting tampering" in the sense you mean isn't the main use of
 hash functions these days though they are certainly employed in such
 applications. Hash functions are a primitive used in all sorts of
 places as part of MACs, as ways of enabling signature systems, as
 elements of commitment protocols etc. The use in commitment protocols
 is totally blown by the current results, btw.

 For purposes of things like x.509 certificates, as message integrity
 codes, etc., the current attacks don't provide an immediate way to
 attack the system, but they make one worried about the health of the
 algorithms -- probably sufficiently much to motivate quickly
 abandoning them for ones that are not vulnerable to these attacks.

 --Perry]
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'