International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities

Authors:
Marc Stevens
Arjen Lenstra
Benne de Weger
Download:
URL: http://eprint.iacr.org/2006/360
Search ePrint
Search Google
Abstract: We have shown how, at a cost of about $2^{52}$ calls to the MD5 compression function, for any two target messages $m_1$ and $m_2$, values $b_1$ and $b_2$ can be constructed such that the concatenated values $m_1\|b_1$ and $m_2\|b_2$ collide under MD5. Although the practical attack potential of this construction of \emph{target collisions} is limited, it is of greater concern than random collisions for MD5. In this note we sketch our construction. To illustrate its practicality, we present two MD5 based X.509 certificates with identical signatures but different public keys \emph{and} different Distinguished Name fields, whereas our previous construction of colliding X.509 certificates required identical name fields. We speculate on other possibilities for abusing target collisions.
BibTeX
@misc{eprint-2006-21851,
  title={Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities},
  booktitle={IACR Eprint archive},
  keywords={applications / Hash collisions, X.509 certificates},
  url={http://eprint.iacr.org/2006/360},
  note={Accepted at EuroCrypt 2007 b.m.m.d.weger@tue.nl 13577 received 23 Oct 2006, last revised 5 Mar 2007},
  author={Marc Stevens and Arjen Lenstra and Benne de Weger},
  year=2006
}