[keyassure] crypto hash alg deprecation is a myth

Martin Rex <mrex@sap.com> Thu, 03 March 2011 05:08 UTC

Return-Path: <mrex@sap.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9037E3A6967 for <keyassure@core3.amsl.com>; Wed, 2 Mar 2011 21:08:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.235
X-Spam-Level:
X-Spam-Status: No, score=-10.235 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ACA9N8UGVKwr for <keyassure@core3.amsl.com>; Wed, 2 Mar 2011 21:08:13 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 420173A6960 for <keyassure@ietf.org>; Wed, 2 Mar 2011 21:08:13 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p2359GEx029569 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 3 Mar 2011 06:09:17 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201103030509.p2359FSK025866@fs4113.wdf.sap.corp>
To: hallam@gmail.com (Phillip Hallam-Baker)
Date: Thu, 3 Mar 2011 06:09:15 +0100 (MET)
In-Reply-To: <AANLkTinsXqdKgmo4=1kruFhNi1gTydTwhg1cZxFM0qo7@mail.gmail.com> from "Phillip Hallam-Baker" at Mar 2, 11 06:09:11 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: keyassure@ietf.org
Subject: [keyassure] crypto hash alg deprecation is a myth
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 05:08:14 -0000

Phillip Hallam-Baker wrote:
> 
> Further, even though we stopped using MD5 in the mid 90s

This seems wrong for most "we" and most environments
that I can think of, certainly for the use of TLS on the internet.

The very little thing that TLSv1.0 changed at the beginning
of the new millenium is that it removed MD5 from the PRF that
derives the TLS session master-secret and traffic keys.
TLS did not affect in any way the use of MD5 for digitial signatures.


On my scorecard, neither deprecation of the MD5 hash
algorithms, nor migration away from MD5 hash algorithm
has happend so far.


Firefox happily verifies md5WithRsaEncryption signatures on TLS server
certs.  Only digital signature algorithms based on MD4 and MD2
seem to have been disabled since 3.0.something.


MSIE 8 on Windows 7 (and prior) will happily talk to TLS servers
using certs signed not only with md5WithRsaSignature, but also
md2WithRsaSignature and even (**cough**) md4WithRsaSignature!

Some may think "but Windows has a FIPS-compliant crypto algs switch".
This (carefully hidden) switch disables SSLv3, but does NOT
affect the acceptance of TLS server certificates signed with
md5withRsaEncryption, md2WithRsaEncryption or md4WithRsaEncryption.


(If it is possible to disable md5WithRsaEncryption signature verification
 in Firefox 3.5 -- then it is sufficiently well hidden that I don't
 see it.)


To me, the claim that MD5 in digital signatures was deprecated
in mid-90's is seriously defying the real world.  It may have
happened in small isolated environments, but it definitely did
not happen yet where TLS is used on the internet today.



I'm puzzled why so many commercial CAs are fiercly resisting
the deprecation of obsolete digital signature algorithms such
as md2WithRsaEncryption and md5WithRsaEncryption by continuing
to distribute TrustAnchors as self-signed X.509 certs with such
signatures on them.  Look in the cert store of your favourite
browser, or look into Microsofts TrustList distribution that
my Windows box tries polling from here:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab


-Martin