[cabfpub] A better way to do SHA-1 legacy

Rob Stradling rob.stradling at comodo.com
Tue Jul 19 22:08:50 UTC 2016


On 19/07/16 17:59, Erwann Abalea wrote:
> The attacker can tweak the public key and obtain a resulting tbsCert

Erwann,

Phill, Gerv and I have each already tried to explain that simply 
tweaking the public key would *not* yield the exact TBSCertificate that 
the CA would then sign.

Tweaking the public key would cause the serial number to change.

I agree with you that removing the 64-bits of CSPRNG output would mean 
that the attacker can predict the precise TBSCertificate before it is 
signed.  But how would they find a collision when every bit they tweak 
causes the (at least 16 bytes long) serial number to change?

> until a set of attacker-defined conditions is met. He doesn’t need to interact with anybody for that, and we don’t know what kind of « attacker-defined conditions » is acceptable.
> In my view, it’s a regression from the current scheme.
>
> Cordialement,
> Erwann Abalea
>
>> Le 19 juil. 2016 à 16:53, Gervase Markham <gerv at mozilla.org> a écrit :
>>
>> On 19/07/16 15:44, Erwann Abalea wrote:
>>> There’s no need to collide SHA2 with this scheme.
>>> The attacker can know in advance what the serial number will be; it may
>>> not be sequential, but is nevertheless predictable. So the attacker
>>
>> But the attacker can only know the serial number when the entire
>> remainder of the certificate is fixed. So how can they tweak it to
>> enable the attack? If they tweak it, the serial number changes.
>>
>> Gerv
>>
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list