[Help-gnutls] Re: target collisions and colliding certificates with different identities

Simon Josefsson jas at extundo.com
Tue Oct 24 08:34:46 CEST 2006


All,

You may have seen the post below about colliding X.509 certificates
with different identities.

GnuTLS since 1.2.9 is not vulnerable to this problem, since we have
disabled the use of RSA-MD5 for verifying X.509 signatures.

Below is how to test this for yourself.

/Simon

jas at mocca:~$ wget -q http://www.win.tue.nl/~bdeweger/CollidingCertificates/MD5CollisionCA.cer http://www.win.tue.nl/hashclash/TargetCollidingCertificates/TargetCollidingCertificate1.cer http://www.win.tue.nl/hashclash/TargetCollidingCertificates/TargetCollidingCertificate2.cer
jas at mocca:~$ certtool --inder -i < MD5CollisionCA.cer > ca.pem
Warning: certificate uses a broken signature algorithm that can be forged.
jas at mocca:~$ certtool --inder -i < TargetCollidingCertificate1.cer > client1.pem
Warning: certificate uses a broken signature algorithm that can be forged.
jas at mocca:~$ certtool --inder -i < TargetCollidingCertificate2.cer > client2.pem
Warning: certificate uses a broken signature algorithm that can be forged.
jas at mocca:~$ cat client1.pem ca.pem > chain1.pem
jas at mocca:~$ cat client2.pem ca.pem > chain2.pem
jas at mocca:~$ certtool -e < chain1.pem
Certificate[0]: CN=Arjen K. Lenstra,O=Collisionairs,L=Eindhoven,C=NL
        Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL
        Verifying against certificate[1].
        Verification output: Not verified, Insecure algorithm.

Certificate[1]: CN=Hash Collision CA,L=Eindhoven,C=NL
        Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL
        Verification output: Verified.

jas at mocca:~$ certtool -e < chain2.pem
Certificate[0]: CN=Marc Stevens,O=Collision Factory,L=Eindhoven,C=NL
        Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL
        Verifying against certificate[1].
        Verification output: Not verified, Insecure algorithm.

Certificate[1]: CN=Hash Collision CA,L=Eindhoven,C=NL
        Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL
        Verification output: Verified.

jas at mocca:~$

"Weger, B.M.M. de" <b.m.m.d.weger at TUE.nl> writes:

> Hi all,
>
> We announce:
> - an example of a target collision for MD5; this means: 
>   for two chosen messages m1 and m2 we have constructed 
>   appendages b1 and b2 to make the messages collide 
>   under MD5, i.e. MD5(m1||b1) = MD5(m2||b2);
>   said differently: we can cause an MD5 collision for 
>   any pair of distinct IHVs;
> - an example of a pair of valid, unsuspicious X.509 
>   certificates with distinct Distinguished Name fields, 
>   but identical CA signatures; this example makes use 
>   of the target collision.
>
> See http://www.win.tue.nl/hashclash/TargetCollidingCertificates/,
> where the certificates and a more detailed announcement 
> can be found.
>
> Marc Stevens
> Arjen Lenstra
> Benne de Weger





More information about the Gnutls-help mailing list