Filters








27 Hits in 4.0 sec

Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities [chapter]

Marc Stevens, Arjen Lenstra, Benne de Weger
2007 Lecture Notes in Computer Science  
construction of colliding X.509 certificates required identical name fields.  ...  To illustrate the practicality of our method, we constructed two MD5 based X.509 certificates with identical signatures but different public keys and different Distinguished Name fields, whereas our previous  ...  We are grateful for comments and assistance received from the Eurocrypt 2007 reviewers, Bart Asjes, Stuart Haber, Paul Hoffman, Pascal Junod, Vlastimil Klima, Bart Preneel, NBV, Gido Schmitz, Eric Verheul  ... 
doi:10.1007/978-3-540-72540-4_1 fatcat:zccpmfb4wnhg5dx5d5ynj6cmoa

Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate [chapter]

Marc Stevens, Alexander Sotirov, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger
2009 Lecture Notes in Computer Science  
Finally, we improve the complexity of identical-prefix collisions for MD5 to about 2 16 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction  ...  We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate  ...  Acknowledgements We are grateful for comments by the Crypto 2009 reviewers, and support by the European Commission through the EU ICT program ECRYPT II, by the Swiss National Science Foundation, and by  ... 
doi:10.1007/978-3-642-03356-8_4 fatcat:ifrxwrjeqje3bpt66t2m3mkmwa

On the Possibility of Constructing Meaningful Hash Collisions for Public Keys [chapter]

Arjen Lenstra, Benne de Weger
2005 Lecture Notes in Computer Science  
For instance, we show how to use hash collisions to construct two X.509 certificates that contain identical signatures and that differ only in the public keys.  ...  We show that at least one of the arguments involved is wrong, by showing that for several common public key systems it is easy to construct pairs of meaningful and secure public key data that either collide  ...  Lenstra, Berry Schoenmakers, and Mike Wiener for helpful remarks and fruitful discussions.  ... 
doi:10.1007/11506157_23 fatcat:5dereqkvjvfhdewvfuglzrue5i

Chosen-prefix collisions for MD5 and applications

Marc Stevens, Arjen K. Lenstra, Benne De Weger
2012 International Journal of Applied Cryptography  
values P S and P S collide under MD5.  ...  This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial Certification Authority (CA) as a legitimate website certificate, while the other one is a certificate  ...  We are grateful for comments and assistance re- This work has been supported in part by the Swiss National Science Foundation under grant number 206021-117409, by EPFL DIT, and by the European Commission  ... 
doi:10.1504/ijact.2012.048084 fatcat:ykzgio3vpzd3hk5ufr7g66zmpa

Are Certificate Thumbprints Unique? [article]

Greg Zaverucha, Dan Shumow
2019 IACR Cryptology ePrint Archive  
This type of collision attack is now practical for MD5, and expected to be practical for SHA-1 in the near future.  ...  First, we demonstrate that creating two X.509 certificates with the same thumbprint is possible when the hash function is weak, in particular when chosen-prefix collision attacks are possible.  ...  Review of X.509 Certificates In this section we review X.509 certificates, in sufficient detail to explain our process for creating certificates with colliding thumbprints.  ... 
dblp:journals/iacr/ZaveruchaS19 fatcat:xxxpkdeiunhqdnfhco5ryxfoye

SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust

Gaëtan Leurent, Thomas Peyrin
2020 USENIX Security Symposium  
We exemplify our cryptanalysis by creating a pair of PGP/GnuPG keys with different identities, but colliding SHA-1 certificates.  ...  When renting cheap GPUs, this translates to a cost of US$ 11k for a collision, and US$ 45k for a chosen-prefix collision, within the means of academic researchers.  ...  Acknowledgements The authors would like to thank Vesselin Velichkov for his help with regards to an initial analysis of neutral bits applicability on SHA-1 and Werner Koch for his comments on the applicability  ... 
dblp:conf/uss/LeurentP20 fatcat:ygb236nep5c3xcdvwtxrfxadia

Practical key-recovery attack against APOP, an MD5-based challenge-response authentication

Gaetan Leurent
2008 International Journal of Applied Cryptography  
Recently, more concrete attacks have appeared: Stevens, Lenstra and de Weger in [23] found colliding X.509 certificates for two different Distinguished Name.  ...  Lenstra and de Weger also used the free prefix and free suffix property to create different X.509 certificates for the same Distinguished Name but with different secure RSA moduli in [13] .  ...  Thanks are due to Phong Nguyen and Pierre-Alain Fouque for their precious help and proofreading. We also thank Louis Granboulan for his help in collecting and analysing WiFi data.  ... 
doi:10.1504/ijact.2008.017049 fatcat:tchulg6g4vewhfatm3p3gykhza

SHA-1 and MD5 Cryptographic Hash Functions: Security Overview

Roman Jasek
2015 Communications - Scientific Letters of the University of Zilina  
Despite their obsolescence and recommendations they are phased out from production environment, MD5 and SHA-1 cryptographic hash functions remain defaults frequently offered in many applications, e.g.,  ...  Suitability procedures and their methods of use are part of this article.  ...  Hash functions have seen increased use in areas such as concurrent algorithm design [45] and continue to be active research field.  ... 
doi:10.26552/com.c.2015.1.73-80 fatcat:ga7abwemkbdnjijduwadtjd35u

How Risky Is the Random-Oracle Model? [chapter]

Gaëtan Leurent, Phong Q. Nguyen
2009 Lecture Notes in Computer Science  
We also remark that collisions can be found as a precomputation for any instantiation of the ROM, and this violates the security definition of the scheme in the standard model.  ...  We show that the random-oracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones  ...  However, the impact on the public-key world has been limited so far, with the exception of [45] , which constructs two colliding X.509 certificates for different identities and public keys, and has recently  ... 
doi:10.1007/978-3-642-03356-8_26 fatcat:vbjvlxawfzfztgra55nuebyw34

Energy-Efficient Source Authentication for Secure Group Communication with Low-Powered Smart Devices in Hybrid Wireless/Satellite Networks

Ayan Roy-Chowdhury, John S. Baras
2011 EURASIP Journal on Wireless Communications and Networking  
We describe a new class of lightweight, symmetric-key digital certificates called extended TESLA certificates and a source authentication protocol for wireless group communication that is based on the  ...  The certificate binds the identity of a wireless smart device to the anchor element of its key chain; keys from the chain are used for computing message authentication codes (MACs) on messages sourced  ...  The material presented in this paper is based upon work supported by National Aeronautics and Space Administration under award No. NCC8235, and by the  ... 
doi:10.1155/2011/392529 fatcat:5il3vocptfd7rbarwoswuenbqu

Messy States of Wiring: Vulnerabilities in Emerging Personal Payment Systems

Jiadong Lou, Xu Yuan, Ning Zhang
2021 USENIX Security Symposium  
By examining the documentation, available source codes, and demos, we extracted a common abstracted model for PPS and discovered seven categories of vulnerabilities in the existing personal payment protocol  ...  design and system implementation.  ...  , and CNS-1948374.  ... 
dblp:conf/uss/LouYZ21 fatcat:ty6bel43nzamzl4l3tjhuent7u

Beyond PKI: The Biocryptographic Key Infrastructure

W. Scheirer, B. Bishop, T. Boult
2010 2010 IEEE International Workshop on Information Forensics and Security  
A practical and recent attack [35, 36] highlights the ease with which a rogue certificate authority can be established, using an MD5 hash collision attack against the digital signatures used for certificate  ...  But to solve these problems correctly, we cannot simply use standard biometric templates (the data representation of the collected biometric feature) embedded within x.509 certificates, because a revocation  ...  Acknowledgements This work was supported in part by NSF STTR Award Number 0750485 and NSF PFI Award Number 065025.  ... 
doi:10.1109/wifs.2010.5711435 dblp:conf/wifs/ScheirerBB10 fatcat:avh4vs2eobbi3nnobubs7w5bmu

Beyond PKI: The Biocryptographic Key Infrastructure [chapter]

Walter J. Scheirer, William Bishop, Terrance E. Boult
2013 Security and Privacy in Biometrics  
A practical and recent attack [35, 36] highlights the ease with which a rogue certificate authority can be established, using an MD5 hash collision attack against the digital signatures used for certificate  ...  But to solve these problems correctly, we cannot simply use standard biometric templates (the data representation of the collected biometric feature) embedded within x.509 certificates, because a revocation  ...  Acknowledgements This work was supported in part by NSF STTR Award Number 0750485 and NSF PFI Award Number 065025.  ... 
doi:10.1007/978-1-4471-5230-9_3 fatcat:yuthwurbrnd3nefhdptujvc22y

Mitigating TLS compromise with ECDHE and SRP [article]

Aron Wussler
2020 arXiv   pre-print
Technologies such as Secure Remote Password (SRP) and the Elliptic Curves Diffie Hellman Ephemeral (ECDHE) exchange are used for the key exchange, verifying the public parameters through PGP signatures  ...  its key exchange, symmetric packet encryption, and validation.  ...  Acknowledgments I would like to thank Francisco Vial for the help reviewing this paper.  ... 
arXiv:2005.13864v1 fatcat:zfqwv32wwbcirepxgf63nc5zua

The most dangerous code in the world

Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, Vitaly Shmatikov
2012 Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12  
In order for the SSL connection to be secure, the client must carefully verify that the certificate has been issued by a valid certificate authority, has not expired (or been revoked), the name(s) listed  ...  -SSL is intended to guarantee confidentiality, authenticity, and integrity for communications between the client and the server.  ...  We thank Colm O hEigeartaigh for explaining the intended behavior of certificate validation in Apache CXF.  ... 
doi:10.1145/2382196.2382204 dblp:conf/ccs/GeorgievIJABS12 fatcat:44o5kvfoevbknawzddsvfrxlyq
« Previous Showing results 1 — 15 out of 27 results