[Dshield] Digital sigs cracked (was: Re: Self-signed certificates)

Don Jackson dwjackson at bcbsal.org
Thu Jun 16 14:34:27 GMT 2005

This regards newly discovered "collisions" (where two messages
result in the same hash code) in the SHA-1 algorithm.   MD5 was
"cracked" some time ago using the same methods.

The odds of any two messages having the same hash code is
small.  Possible, yes.

The odds that these messages could be construed as
meaningful -- that is, that they are low-entropy, structured
using a format or syntax for communication that makes
sense to any person or system -- is infinitesimal!

>>> cbrenton at chrisbrenton.org 6/16/2005 5:33 AM >>>
Since we're on the subject of digital signing, thought folks might find
this interesting if they have not run across it yet. Its specific to
postscript, but could easily be adapted to other file types:


Cryptographers have found a way to snip a digital signature from one
document and attach it to a fraudulent document without invalidating the
signature and giving the fraud away. 

The development means that attackers could potentially forge legal
documents, load certified software with bogus code, or turn a
digitally-signed letter of recommendation into one that authorizes
access to private information.

*** *** *** *** *** *** *** *** *** ***
This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  You are hereby notified that any dissemination, duplication, or distribution of this transmission by someone other than the intended addressee or its designated agent is strictly prohibited.  If you receive this e-mail in error, please notify me immediately by replying to this e-mail.
*** *** *** *** *** *** *** *** *** ***

More information about the list mailing list