Re: [keyassure] Opening issue #21: "Need to specify which crypto

Phillip Hallam-Baker <> Wed, 02 March 2011 21:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DBD083A6850 for <>; Wed, 2 Mar 2011 13:23:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.571
X-Spam-Status: No, score=-3.571 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nhwCsR+0VwBX for <>; Wed, 2 Mar 2011 13:23:37 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 506B33A6816 for <>; Wed, 2 Mar 2011 13:23:34 -0800 (PST)
Received: by bwz13 with SMTP id 13so680868bwz.31 for <>; Wed, 02 Mar 2011 13:24:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=eSYi5jinXVdrHG5Rg8+6z3+8KWTnxiJPFi0urM+06Bw=; b=LaEdo1KBjzEwY3SEkd+llbCHya+/WVtQuSnUBQ+c3qptfEEj4BFPosdPu89igfPSa9 6/I+DMvjomIrl6uJe14b007vFUqHkxzf8YEYAub7yhth2nnMZl/yuT0BARfBPae7wiUv oydSOKbclti1m3rWDyvcyarzWRdA6tTkcSQZo=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=mqXf38Ugxw/d4IU3+xirVrysVIidfrMUUyH6tn+U+8tfmMaNmxMOIk5YX+PCaDF6Bg hDAD566I7nRwB7heKzswQWRbS2EG3jdjp8EAnW9FW8Dyfjp2ornWWjjTceAON9A+1+IO FVzt+8ZCOt/WVUJ14MP1O7c1GOQswGX10wL7s=
MIME-Version: 1.0
Received: by with SMTP id i8mr566699bkg.74.1299101080044; Wed, 02 Mar 2011 13:24:40 -0800 (PST)
Received: by with HTTP; Wed, 2 Mar 2011 13:24:40 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Wed, 2 Mar 2011 16:24:40 -0500
Message-ID: <>
From: Phillip Hallam-Baker <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [keyassure] Opening issue #21: "Need to specify which crypto
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Mar 2011 21:23:39 -0000

I was aware of that attack.

That is not a problem with the use of MD2 in a self-signed certificate.

That is a problem of having used MD2.

The problem there is that if you have a key that has been used to sign
with MD2 it is going to be permanently tainted regardless of what
place the cert is in the chain and regardless of what type of cert it
is. The attacker can 'correct' for any defect wrt cert type, validity
interval etc.

There is only one effective defense against that attack and that is to
withdraw the MD2 algorithm from service.

You don't get any additional security from adding additional stronger
algorithms to the support list. You only get additional security from
withdrawing a weak algorithm from service.

Which is why I am arguing it is time to withdraw SHA1 from service. It
is only marginally more secure than MD5.

On Wed, Mar 2, 2011 at 12:24 PM, Martin Rex <> wrote:
> Phillip Hallam-Baker wrote:
>> The use of MD2 in a self signed cert has little risk as far as use of
>> the cert itself goes since it only serves as proof of possession which
>> is only relevant when the browser provider chooses to install it in
>> the browser.
> In the universe where I live, there exist collision attacks against MD2.
>  (check
> So an RSA-key for which a PKCS#1 encrypted MD2 signature has been
> published is a real security problem and ought to have been discarded
> long ago.
> Else someone could try to use the preimage attack to issue himself
> an intermediate CA cert under such a root cert, reusing the md2-based
> signature on the RootCA cert.
> I would REALLY like to kill md2withRsaEncryption as a digital
> signature algorithm from our PKI implementation, like I did
> with all of md4-based digital signature algorithms.
> Getting rid of "tainted" RSA keys is also important.
> Why do you think that FIPS 186-3 says that you are not allowed
> to use an RSA keypair for both PKCS-v1.5 and PKCS-PSS signatures?
> Because you "taint" your RSA key on the first time that you use it
> for a weak scheme.
> -Martin