[cabfpub] For discussion: Restricting the use of file-based demonstrations of control

Adam Langley agl at google.com
Mon Jun 2 21:28:02 UTC 2014


On Mon, Jun 2, 2014 at 2:04 PM, Rob Stradling <rob.stradling at comodo.com> wrote:
> Oh, BTW, our current scheme requires the attacker to generate a CSR that
> collides with both the SHA-1 _and_ MD5 hashes of the legitimate CSR.

The concatenation of SHA-1 and MD5 is, sadly, not nearly as good as
one might hope:
http://www.iacr.org/cryptodb/archive/2004/CRYPTO/1472/1472.pdf.

> I thought the N-bits-of-randomness-in-serial-numbers requirement was
> added specifically because SHA-1 is on its last legs.  Can we not say
> that SHA-256 (and, hopefully, SHA-1-plus-MD5) has a large enough
> security margin that the randomness requirement isn't actually necessary?

Entropy in the serial numbers was, indeed, added to convert the
attackers' problem from a simple collision attack to something close
to target collision resistance. Technically, with SHA-256 that's no
longer needed. However it would be sad to regress. Also, I think
Ryan's previous concern would still stand:

"Another attack would be using the same CSR, but provided to another
CA, CA B. The attacker does not hold the private key (yet), but
obtains an additional certificate. Then, using a technique like
Heartbleed, obtains the private key at some later point.

The legitimate customer revokes their certificate with their known CA,
CA A. Assuming revocation worked reliably (eg: must-staple), that
certificate and key pair would now be invalid. However, the attacker
holds a still-valid certificate, from CA B, and now holds the private
key as well. Without compromise of any CA, and without awareness of
the subscriber (sans CT), they can now mount a MITM."


Cheers

AGL



More information about the Public mailing list