[cryptography] Microsoft Sub-CA used in malware signing

Marsh Ray marsh at extendedsubset.com
Sun Jun 10 18:33:51 EDT 2012


On 06/10/2012 03:03 PM, Florian Weimer wrote:
>
> Does this mean they've seen the original certificate in addition to
> the evil twin?
>
> Until then, there is another explanation besides an advance in
> cryptanalysis.  Just saying. 8-)

I guess I look at it like this:

Start with the simplest explanation:

	e0 - attacker implements cert collision attack much like that
              demonstrated by Stevens et al. in 2008, but having some
	     different characteristics

Then take each explanation in turn from the e1 - eN other possible 
explanations like:

	e1 - attacker compromises system holding the RSA signing key
	e2 - attacker bribes Microsoft personnel into issuing evil cert
	e3 - attacker factors 1024 bit RSA
	e4 - attacker finds second preimage on MD5
	e5 - ... and so on

Then to that explanation add the additional requirement:

	... *and* fools Marc Stevens into thinking it's a cert collision
	attack much like that demonstrated in 2008, but having
	some different characteristics.

So it's an advance in cryptanalysis either way. :-)

- Marsh



More information about the cryptography mailing list