From: Bill Stewart <stewarts@ix.netcom.com>
To: Greg Miller <gmiller@grendel.ius.indiana.edu>
Message Hash: c46866a11a833a3b1f7dfe50e3d16f9a5a4e432ab31a66693203765a9e544a8d
Message ID: <199510020737.AAA27256@ix7.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1995-10-02 07:37:33 UTC
Raw Date: Mon, 2 Oct 95 00:37:33 PDT
From: Bill Stewart <stewarts@ix.netcom.com>
Date: Mon, 2 Oct 95 00:37:33 PDT
To: Greg Miller <gmiller@grendel.ius.indiana.edu>
Subject: Re: Spoofing HTTP server certificates
Message-ID: <199510020737.AAA27256@ix7.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
At 12:52 AM 10/2/95 -0400, Greg Miller <gmiller@grendel.ius.indiana.edu> wrote:
> Since there has been a lot of talk about the "man in the middle"
>attack on the secure web servers, has anyone actually considered the
>processing time required to fake a certificate from scratch?
> I haven't really familiarized myself with how the certificates
>are generated, etc, but it's my understanding that they are signed with RSA.
While I haven't seen Verisign's various public keys posted to the net,
and didn't see them anywhere on their web page, I assume they're at least
508 bits long, and the ones for better-than-personna certification
(or at least Class 3) ought to be ~1024 bits long, unless they're limiting
themselves to 512 bits to support software that's limited by ITAR stupidity
(which would be a shame, but is certainly possible.)
For the moment, breaking a 512-bit key remains hard, though maybe within the
NSA's reach. It's probably one of the next big factoring challenges after the
RSA-130 number is taken out by the General Number Field Sieve folks.
The better fake, which is much more possible, is to build a chain of
certifications
(trivial) and convince your victim to accept them instead of the real ones
(more doable, especially if some vendor's software isn't written carefully,
or is written carefully but requires the user to think about what he's reading.)
#---
# Thanks; Bill
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---
Return to October 1995
Return to “jsw@neon.netscape.com (Jeff Weinstein)”