Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

pgut001@cs.auckland.ac.nz (Peter Gutmann) Wed, 31 December 2008 01:50 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 547DC3A69B7; Tue, 30 Dec 2008 17:50:09 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AB4C83A69B7 for <saag@core3.amsl.com>; Tue, 30 Dec 2008 17:50:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.049
X-Spam-Level:
X-Spam-Status: No, score=-4.049 tagged_above=-999 required=5 tests=[AWL=-0.450, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajx457X6i17H for <saag@core3.amsl.com>; Tue, 30 Dec 2008 17:50:08 -0800 (PST)
Received: from mailhost.auckland.ac.nz (curly.its.auckland.ac.nz [130.216.12.33]) by core3.amsl.com (Postfix) with ESMTP id B598A3A693D for <saag@ietf.org>; Tue, 30 Dec 2008 17:50:07 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id C6E079D3C9; Wed, 31 Dec 2008 14:20:45 +1300 (NZDT)
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JJ47zQCpU9p7; Wed, 31 Dec 2008 14:20:45 +1300 (NZDT)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id EF5B69D3C8; Wed, 31 Dec 2008 14:20:44 +1300 (NZDT)
Received: from wintermute01.cs.auckland.ac.nz (wintermute01.cs.auckland.ac.nz [130.216.34.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 0EEEE1BE4002; Wed, 31 Dec 2008 14:20:40 +1300 (NZDT)
Received: from pgut001 by wintermute01.cs.auckland.ac.nz with local (Exim 4.63) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1LHplH-0006Xw-V6; Wed, 31 Dec 2008 14:20:39 +1300
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: paul.hoffman@vpnc.org, pmhesse@geminisecurity.com, rlmorgan@washington.edu
In-Reply-To: <08bb01c96ac7$1cd5a750$5680f5f0$@com>
Message-Id: <E1LHplH-0006Xw-V6@wintermute01.cs.auckland.ac.nz>
Date: Wed, 31 Dec 2008 14:20:39 +1300
Cc: ietf-pkix@imc.org, ietf-smime@imc.org, cfrg@irtf.org, saag@ietf.org
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

"Peter Hesse" <pmhesse@geminisecurity.com> writes:

>Ceasing the issuance of certificates with MD5 used in the signature doesn't
>solve the problem of the certificates that have already been issued and are
>still out there, any number of which may be rogue.
>
>Replacing, or marking as untrusted all root certificates which have any
>current valid (i.e. non-expired, non-revoked) certificates with MD5 used in
>the signature could have tremendous undesirable impact and be an untenable
>solution.

I hate to be the one to point to the elephant in the room (well OK, I don't
hate it, it's rather fun actually) but you need to keep this in perspective:
one in ten AuthentiCode-signed Windows binaries is malware, and cybercrooks
have no problems at all obtaining certs from commercial CAs using stolen
identities and credentials for pretty much any use they want.  The current MD5
attack is very cool but there's no need to worry about bad guys doing much
with it because it's much, much easier to get legitimate CA-issued certs the
normal way, you buy them just like everyone else does (except that you use
someone else's credit card and identity, obviously).

In other words, if this problem is fixed, would anyone other than security
geeks even notice?  I doubt the crooks will.

Peter.
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag