rsa-md5-collision README -- Information about rsa-md5-collision self tests. Copyright (C) 2006-2012 Free Software Foundation, Inc. See the end for copying conditions. This directory contains colliding X.509 certificates for different identities, from: http://www.win.tue.nl/hashclash/TargetCollidingCertificates/ The certificates are used by a simple self-test script, rsa-md5-collision, that check to make sure that GnuTLS reject both certificate chains. Below is the e-mail exchanges with the authors where they agree to release the certificates under a permissive license, that allow the files to be included here. X-Hashcash: 1:22:061024:m.m.j.stevens@student.tue.nl::NIoLZwQj6TTZ4YZK:BUuA X-Hashcash: 1:22:061024:arjen.lenstra@epfl.ch::NgTq8sJW1QBlX/rv:g9Z From: Simon Josefsson To: "Weger\, B.M.M. de" , m.m.j.stevens@student.tue.nl, arjen.lenstra@epfl.ch Subject: Re: target collisions and colliding certificates with different identities References: OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Draft-From: ("gmane.ietf.irtf.cfrg" 784) X-Hashcash: 1:22:061024:b.m.m.d.weger@tue.nl::aYYmnRc08nJKaUMk:6ddD Date: Tue, 24 Oct 2006 08:28:07 +0200 In-Reply-To: (B. M. M. de Weger's message of "Mon\, 23 Oct 2006 23\:58\:21 +0200") Message-ID: <87ods2grd4.fsf@latte.josefsson.org> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Lines: 48 Xref: localhost.localdomain rsa-md5:1 Great work, thanks! I'd like to include your certificates in GnuTLS, a TLS implementation that supports X.509, as self-tests of the certificate verification logic. Is this OK with you? Btw, Gnutls rejected the certificates, we already disable MD5 for verification purposes. :) For our legal department, I'd like a clarification of the license on the data, would you agree to release the certificates under the following license? Copyright (c) 1996 Marc Stevens, Arjen K. Lenstra, Benne de Weger Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. Also, if any other authors contributed, they would have to agree to this license as well. Are there other authors? Best regards, and thanks in advance, Simon "Weger, B.M.M. de" writes: > Hi all, > > We announce: > - an example of a target collision for MD5; this means: > for two chosen messages m1 and m2 we have constructed > appendages b1 and b2 to make the messages collide > under MD5, i.e. MD5(m1||b1) = MD5(m2||b2); > said differently: we can cause an MD5 collision for > any pair of distinct IHVs; > - an example of a pair of valid, unsuspicious X.509 > certificates with distinct Distinguished Name fields, > but identical CA signatures; this example makes use > of the target collision. > > See http://www.win.tue.nl/hashclash/TargetCollidingCertificates/, > where the certificates and a more detailed announcement > can be found. > > Marc Stevens > Arjen Lenstra > Benne de Weger Return-Path: Received: from yxa.extundo.com ([unix socket]) by yxa-iv (Cyrus v2.1.18-IPv6-Debian-2.1.18-1+sarge2) with LMTP; Tue, 24 Oct 2006 08:32:12 +0200 X-Sieve: CMU Sieve 2.2 Received: from smtp1.epfl.ch (smtp1.epfl.ch [128.178.50.22]) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with SMTP id k9O6VvPx016489 for ; Tue, 24 Oct 2006 08:31:57 +0200 Received: (qmail 16665 invoked by uid 107); 24 Oct 2006 06:31:51 -0000 Received: from mailav1.epfl.ch (128.178.50.190) by smtp1.epfl.ch with SMTP; 24 Oct 2006 06:31:51 -0000 Received: from (smtp2.epfl.ch [128.178.50.133]) by MAILAV1.epfl.ch with smtp id 3c76_55596730_6329_11db_9dfc_001143d18479; Tue, 24 Oct 2006 08:31:51 +0200 Received: from rex1.epfl.ch (128.178.50.178) by smtp2.epfl.ch (AngelmatoPhylax SMTP proxy); Tue, 24 Oct 2006 08:31:51 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: target collisions and colliding certificates with different identities Date: Tue, 24 Oct 2006 08:31:42 +0200 Message-ID: In-Reply-To: <87ods2grd4.fsf@latte.josefsson.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: target collisions and colliding certificates with different identities Thread-Index: Acb3NZO8kzaCp7NPSV29z2Ydtt/p5gAAEyEg From: "Arjen Lenstra" To: "Simon Josefsson" , "Weger, B.M.M. de" , X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on yxa-iv X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Lines: 75 Xref: localhost.localdomain rsa-md5:2 Hi, Thanks! I can't speak for my coauthors, but it's all fine with me, though I find = the year in your proposed copyright statement a bit odd (I would have = expected 2006). There are no more authros involved. best regards, Arjen Lenstra ---------------- Arjen K. Lenstra a k l @ e p f l . c h EPFL IC LACAL INJ 330 (B=E2timent INJ) Station 14 CH-1015 Lausanne, Switzerland T=E9l: + 41 21 693 8101 Fax: + 41 21 693 7550 =20 =20 -----Original Message----- From: Simon Josefsson [mailto:jas@extundo.com]=20 Sent: Tuesday, October 24, 2006 8:28 AM To: Weger, B.M.M. de; m.m.j.stevens@student.tue.nl; Arjen Lenstra Subject: Re: target collisions and colliding certificates with different = identities Great work, thanks! I'd like to include your certificates in GnuTLS, a TLS implementation that supports X.509, as self-tests of the certificate verification logic. Is this OK with you? Btw, Gnutls rejected the certificates, we already disable MD5 for verification purposes. :) For our legal department, I'd like a clarification of the license on the data, would you agree to release the certificates under the following license? Copyright (c) 1996 Marc Stevens, Arjen K. Lenstra, Benne de Weger Copying and distribution of this file, with or without = modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. Also, if any other authors contributed, they would have to agree to this license as well. Are there other authors? Best regards, and thanks in advance, Simon "Weger, B.M.M. de" writes: > Hi all, > > We announce: > - an example of a target collision for MD5; this means:=20 > for two chosen messages m1 and m2 we have constructed=20 > appendages b1 and b2 to make the messages collide=20 > under MD5, i.e. MD5(m1||b1) =3D MD5(m2||b2); > said differently: we can cause an MD5 collision for=20 > any pair of distinct IHVs; > - an example of a pair of valid, unsuspicious X.509=20 > certificates with distinct Distinguished Name fields,=20 > but identical CA signatures; this example makes use=20 > of the target collision. > > See http://www.win.tue.nl/hashclash/TargetCollidingCertificates/, > where the certificates and a more detailed announcement=20 > can be found. > > Marc Stevens > Arjen Lenstra > Benne de Weger From: Simon Josefsson To: "Arjen Lenstra" Cc: "Weger\, B.M.M. de" , Subject: Re: target collisions and colliding certificates with different identities References: OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Draft-From: ("nnimap+yxa:INBOX.private.2006.10" 623) X-Hashcash: 1:22:061024:b.m.m.d.weger@tue.nl::pMR7JuXUTTt/Zjut:0aGD X-Hashcash: 1:22:061024:arjen.lenstra@epfl.ch::juw1iXMSKV62mZGj:CBbu X-Hashcash: 1:22:061024:m.m.j.stevens@student.tue.nl::SJdQwxRXP39Dw2C4:n6ia Date: Tue, 24 Oct 2006 08:43:59 +0200 In-Reply-To: (Arjen Lenstra's message of "Tue\, 24 Oct 2006 08\:31\:42 +0200") Message-ID: <87d58igqmo.fsf@latte.josefsson.org> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Lines: 80 Xref: localhost.localdomain rsa-md5:3 "Arjen Lenstra" writes: > Hi, > Thanks! > I can't speak for my coauthors, but it's all fine with me, though I > find the year in your proposed copyright statement a bit odd (I > would have expected 2006). There are no more authros involved. Thanks. Duh, I meant 2006, of course. I'd appreciate if Marc and Benne also replied. /Simon > best regards, Arjen Lenstra > > ---------------- > Arjen K. Lenstra a k l @ e p f l . c h > EPFL IC LACAL > INJ 330 (Bâtiment INJ) > Station 14 > CH-1015 Lausanne, Switzerland > Tél: + 41 21 693 8101 > Fax: + 41 21 693 7550 > > > > -----Original Message----- > From: Simon Josefsson [mailto:jas@extundo.com] > Sent: Tuesday, October 24, 2006 8:28 AM > To: Weger, B.M.M. de; m.m.j.stevens@student.tue.nl; Arjen Lenstra > Subject: Re: target collisions and colliding certificates with different identities > > Great work, thanks! > > I'd like to include your certificates in GnuTLS, a TLS implementation > that supports X.509, as self-tests of the certificate verification > logic. Is this OK with you? > > Btw, Gnutls rejected the certificates, we already disable MD5 for > verification purposes. :) > > For our legal department, I'd like a clarification of the license on > the data, would you agree to release the certificates under the > following license? > > Copyright (c) 1996 Marc Stevens, Arjen K. Lenstra, Benne de Weger > > Copying and distribution of this file, with or without modification, > are permitted in any medium without royalty provided the copyright > notice and this notice are preserved. > > Also, if any other authors contributed, they would have to agree to > this license as well. Are there other authors? > > Best regards, and thanks in advance, > Simon > > "Weger, B.M.M. de" writes: > >> Hi all, >> >> We announce: >> - an example of a target collision for MD5; this means: >> for two chosen messages m1 and m2 we have constructed >> appendages b1 and b2 to make the messages collide >> under MD5, i.e. MD5(m1||b1) = MD5(m2||b2); >> said differently: we can cause an MD5 collision for >> any pair of distinct IHVs; >> - an example of a pair of valid, unsuspicious X.509 >> certificates with distinct Distinguished Name fields, >> but identical CA signatures; this example makes use >> of the target collision. >> >> See http://www.win.tue.nl/hashclash/TargetCollidingCertificates/, >> where the certificates and a more detailed announcement >> can be found. >> >> Marc Stevens >> Arjen Lenstra >> Benne de Weger Return-Path: Received: from yxa.extundo.com ([unix socket]) by yxa-iv (Cyrus v2.1.18-IPv6-Debian-2.1.18-1+sarge2) with LMTP; Tue, 24 Oct 2006 09:23:28 +0200 X-Sieve: CMU Sieve 2.2 Received: from ipact2.infopact.nl (ipact2.infopact.nl [212.29.160.71]) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id k9O7NIbh023920 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 24 Oct 2006 09:23:22 +0200 Received: from ipact2.infopact.nl (localhost.localdomain [127.0.0.1]) by ipact2.infopact.nl (8.13.7/8.13.7) with ESMTP id k9O7NAZd008636 for ; Tue, 24 Oct 2006 09:23:11 +0200 Received: (from defang@localhost) by ipact2.infopact.nl (8.13.7/8.13.7/Submit) id k9O7J939006762 for ; Tue, 24 Oct 2006 09:19:09 +0200 Received: from smtp.banaan.org (72-130-ftth.onsnet.nu [88.159.130.72]) by ipact2.infopact.nl (envelope-sender ) (MIMEDefang) with ESMTP id k9O7J72W006742; Tue, 24 Oct 2006 09:19:09 +0200 (CEST) Received: by smtp.banaan.org (Postfix, from userid 1018) id DE1B689D80; Tue, 24 Oct 2006 09:19:06 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on yxa-iv X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO autolearn=ham version=3.1.1 Received: from s478591 (cp688553-a.tilbu1.nb.home.nl [84.24.55.50]) by smtp.banaan.org (Postfix) with ESMTP id 5EE4889EF9; Tue, 24 Oct 2006 09:18:57 +0200 (CEST) Message-ID: <03cf01c6f73c$a8923390$8702a8c0@s478591> From: "Marc Stevens" To: "Simon Josefsson" , "Arjen Lenstra" Cc: "Weger, B.M.M. de" References: <87d58igqmo.fsf@latte.josefsson.org> Subject: Re: target collisions and colliding certificates with different identities Date: Tue, 24 Oct 2006 09:18:50 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Scanned-By: MIMEDefang - SpamAssassin on 212.29.160.71 X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Status: Clean Lines: 101 Xref: localhost.localdomain rsa-md5:4 Hi Simon, Thanks! I am also okay with the proposed license. Kind regards, Marc ----- Original Message ----- From: "Simon Josefsson" To: "Arjen Lenstra" Cc: "Weger, B.M.M. de" ; Sent: Tuesday, October 24, 2006 8:43 AM Subject: Re: target collisions and colliding certificates with different identities > "Arjen Lenstra" writes: > >> Hi, >> Thanks! >> I can't speak for my coauthors, but it's all fine with me, though I >> find the year in your proposed copyright statement a bit odd (I >> would have expected 2006). There are no more authros involved. > > Thanks. Duh, I meant 2006, of course. I'd appreciate if Marc and > Benne also replied. > > /Simon > >> best regards, Arjen Lenstra >> >> ---------------- >> Arjen K. Lenstra a k l @ e p f l . c h >> EPFL IC LACAL >> INJ 330 (Bâtiment INJ) >> Station 14 >> CH-1015 Lausanne, Switzerland >> Tél: + 41 21 693 8101 >> Fax: + 41 21 693 7550 >> >> >> >> -----Original Message----- >> From: Simon Josefsson [mailto:jas@extundo.com] >> Sent: Tuesday, October 24, 2006 8:28 AM >> To: Weger, B.M.M. de; m.m.j.stevens@student.tue.nl; Arjen Lenstra >> Subject: Re: target collisions and colliding certificates with different >> identities >> >> Great work, thanks! >> >> I'd like to include your certificates in GnuTLS, a TLS implementation >> that supports X.509, as self-tests of the certificate verification >> logic. Is this OK with you? >> >> Btw, Gnutls rejected the certificates, we already disable MD5 for >> verification purposes. :) >> >> For our legal department, I'd like a clarification of the license on >> the data, would you agree to release the certificates under the >> following license? >> >> Copyright (c) 1996 Marc Stevens, Arjen K. Lenstra, Benne de Weger >> >> Copying and distribution of this file, with or without modification, >> are permitted in any medium without royalty provided the copyright >> notice and this notice are preserved. >> >> Also, if any other authors contributed, they would have to agree to >> this license as well. Are there other authors? >> >> Best regards, and thanks in advance, >> Simon >> >> "Weger, B.M.M. de" writes: >> >>> Hi all, >>> >>> We announce: >>> - an example of a target collision for MD5; this means: >>> for two chosen messages m1 and m2 we have constructed >>> appendages b1 and b2 to make the messages collide >>> under MD5, i.e. MD5(m1||b1) = MD5(m2||b2); >>> said differently: we can cause an MD5 collision for >>> any pair of distinct IHVs; >>> - an example of a pair of valid, unsuspicious X.509 >>> certificates with distinct Distinguished Name fields, >>> but identical CA signatures; this example makes use >>> of the target collision. >>> >>> See http://www.win.tue.nl/hashclash/TargetCollidingCertificates/, >>> where the certificates and a more detailed announcement >>> can be found. >>> >>> Marc Stevens >>> Arjen Lenstra >>> Benne de Weger > Return-Path: Received: from yxa.extundo.com ([unix socket]) by yxa-iv (Cyrus v2.1.18-IPv6-Debian-2.1.18-1+sarge2) with LMTP; Tue, 24 Oct 2006 10:55:48 +0200 X-Sieve: CMU Sieve 2.2 Received: from mailhost.tue.nl (mailhost.tue.nl [131.155.2.19]) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id k9O8te8O005696 for ; Tue, 24 Oct 2006 10:55:40 +0200 Received: from localhost (localhost [127.0.0.1]) by mailhost.tue.nl (Postfix) with ESMTP id B6C745C297; Tue, 24 Oct 2006 10:55:39 +0200 (CEST) X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com X-Virus-Scanned: amavisd-new at tue.nl Received: from mailhost.tue.nl ([131.155.2.19]) by localhost (pastinakel.tue.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 84pZYnFvD8HO; Tue, 24 Oct 2006 10:55:39 +0200 (CEST) Received: from EXCHANGE3.campus.tue.nl (xserver3.campus.tue.nl [131.155.6.6]) by mailhost.tue.nl (Postfix) with ESMTP id 1CFE55C293; Tue, 24 Oct 2006 10:55:39 +0200 (CEST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: target collisions and colliding certificates with different identities Date: Tue, 24 Oct 2006 10:55:38 +0200 Message-ID: In-Reply-To: <87d58igqmo.fsf@latte.josefsson.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: target collisions and colliding certificates with different identities Thread-Index: Acb3N816trM39dt6Tmef1RZSgSRhMQAEdpog From: "Weger, B.M.M. de" To: "Simon Josefsson" Cc: "Stevens, M.M.J." , "Arjen Lenstra" X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on yxa-iv X-Virus-Status: Clean Lines: 123 Xref: localhost.localdomain rsa-md5:5 Hi Simon, When your software rejects any MD5 certificate I don't see why you would use our colliding ones, doesn't it mean that you'll=20 have more explaining to do? But when you want it this way, it's fine with me too. Grtz, Benne =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Technische Universiteit Eindhoven Coding & Crypto Groep Faculteit Wiskunde en Informatica Den Dolech 2 Postbus 513 5600 MB Eindhoven kamer: HG 9.84 tel.: (040) 247 2704, bgg 5141 e-mail: b.m.m.d.weger@tue.nl www: http://www.win.tue.nl/~bdeweger =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 > -----Original Message----- > From: Simon Josefsson [mailto:jas@extundo.com]=20 > Sent: dinsdag 24 oktober 2006 8:44 > To: Arjen Lenstra > Cc: Weger, B.M.M. de; Stevens, M.M.J. > Subject: Re: target collisions and colliding certificates=20 > with different identities >=20 > "Arjen Lenstra" writes: >=20 > > Hi, > > Thanks! > > I can't speak for my coauthors, but it's all fine with me, though I > > find the year in your proposed copyright statement a bit odd (I > > would have expected 2006). There are no more authros involved. >=20 > Thanks. Duh, I meant 2006, of course. I'd appreciate if Marc and > Benne also replied. >=20 > /Simon >=20 > > best regards, Arjen Lenstra > > > > ---------------- > > Arjen K. Lenstra a k l @ e p f l . c h > > EPFL IC LACAL > > INJ 330 (B=E2timent INJ) > > Station 14 > > CH-1015 Lausanne, Switzerland > > T=E9l: + 41 21 693 8101 > > Fax: + 41 21 693 7550 > > =20 > > =20 > > > > -----Original Message----- > > From: Simon Josefsson [mailto:jas@extundo.com]=20 > > Sent: Tuesday, October 24, 2006 8:28 AM > > To: Weger, B.M.M. de; m.m.j.stevens@student.tue.nl; Arjen Lenstra > > Subject: Re: target collisions and colliding certificates=20 > with different identities > > > > Great work, thanks! > > > > I'd like to include your certificates in GnuTLS, a TLS=20 > implementation > > that supports X.509, as self-tests of the certificate=20 > verification > > logic. Is this OK with you? > > > > Btw, Gnutls rejected the certificates, we already disable MD5 for > > verification purposes. :) > > > > For our legal department, I'd like a clarification of the license on > > the data, would you agree to release the certificates under the > > following license? > > > > Copyright (c) 1996 Marc Stevens, Arjen K. Lenstra,=20 > Benne de Weger > > > > Copying and distribution of this file, with or without=20 > modification, > > are permitted in any medium without royalty provided=20 > the copyright > > notice and this notice are preserved. > > > > Also, if any other authors contributed, they would have to agree to > > this license as well. Are there other authors? > > > > Best regards, and thanks in advance, > > Simon > > > > "Weger, B.M.M. de" writes: > > > >> Hi all, > >> > >> We announce: > >> - an example of a target collision for MD5; this means:=20 > >> for two chosen messages m1 and m2 we have constructed=20 > >> appendages b1 and b2 to make the messages collide=20 > >> under MD5, i.e. MD5(m1||b1) =3D MD5(m2||b2); > >> said differently: we can cause an MD5 collision for=20 > >> any pair of distinct IHVs; > >> - an example of a pair of valid, unsuspicious X.509=20 > >> certificates with distinct Distinguished Name fields,=20 > >> but identical CA signatures; this example makes use=20 > >> of the target collision. > >> > >> See http://www.win.tue.nl/hashclash/TargetCollidingCertificates/, > >> where the certificates and a more detailed announcement=20 > >> can be found. > >> > >> Marc Stevens > >> Arjen Lenstra > >> Benne de Weger >=20 ---------------------------------------------------------------------- Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.