[cabfpub] FW: Pre-Ballot 164 - Certificate Serial Number Entropy

Jacob Hoffman-Andrews jsha at letsencrypt.org
Fri Jun 24 00:52:55 UTC 2016


On Thu, Jun 23, 2016 at 5:41 PM, Erwann Abalea <eabalea at gmail.com> wrote:

> (Sending from my personal email, so this may not go to public).
>
> Bonsoir,
>
> On the intent:
> - Basic collisions of hash functions have always been resistant up to a
> 2^(n/2) work effort, n being the digest size (replace "what is should be"
> by "its output size").
> - Adding random bits at the very beginning of the hashed data changes the
> necessary attack from a chosen-prefix collision into a random-prefix
> collision (not a preimage yet, not even a second preimage). It's important
> for the random bits to be at the beginning and not at the end of the
> tbsCertificate (random-prefix).
> - This is not a solution against a completely failing hash function, just
> a mitigation against an aging hash func that sees its collision resistance
> weaker than expected (only works when collision resistance is affected,
> doesn't work against preimage or second preimage attack). See it as an
> additional margin time to move away from this hash, and facts prove again
> today that this move can be very hard to do (SHA1 discussions).
>

Excellent corrections, thank you.

Amended intent:

As demonstrated in
https://events.ccc.de/congress/2008/Fahrplan/attachments/1251_md5-collisions-1.0.pdf,
hash collisions can allow an attacker to forge a signature on the
certificate of their choosing. The birthday paradox means that, in the
absence of random bits, the security level of a hash function is half its
output size. Adding random bits to the very beginning of issued
certificates mitigates changes the necessary attack from a chosen-prefix
collision into a random-prefix collision. For a long time the BRs have
encouraged adding random bits to the serial number of a certificate, and it
is now common practice. This ballot makes that best practice required,
which will make the Web PKI much more robust against all future weaknesses
in hash functions, buying additional time to transition away from failing
hash functions in the future. Additionally, this ballot replaces "entropy"
with "CSPRNG" to make the requirement clearer and easier to audit, and
clarifies that serial number must be positive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160623/2abf2e6c/attachment-0003.html>


More information about the Public mailing list