cr-marcstevens
commented
7 months ago You need to be able to craft your own certificates. Then you need to decide where to put the collisionblocks. Before that point you can freely choose the content of each certificate, after the collisionblocks they need to be the same.
For the rogue CA we put the collision blocks at the end of the certificate in a comment field. For the web cert signed by a CA the format was very strict, so the collision blocks needed to be put in the public key field. We used a very long domain name to align the structures between the 2 certificates.
We then generated a 3-block chosen prefix collision using 215 PlayStations3. Only after that, did we exploit the remaining bits of the public key to make it a complete modulus of which we knew the factorisation. Note that it doesn't need to be a secure RSA key with two equal size random primes, you just need to be able to generate a signature that will be verified correctly.
fxsecltd
Hello Marc! Please, could you be so kind to explain what do I need to replay rogue CA certificate generation. IIf it is possible, answer me as shortly as possible (if it is complicated for explanation in full details) What data I need for 1st block (as I understand, it has almost unchangeable data from x509 ASN structure, version, CN, etc) with size of 64 bytes What data I need for 2st block (as I understand, it has similar blocks from RSA public key, unchangeable in both certificates) with size of 64 bytes What software can be used for generating larger RSA keys and how, taking into account existing collisions? Anyway, thank you in advance for paying your attention for my question.