IETF Logo Mail Archive

Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

"Santosh Chokhani" <SChokhani@cygnacom.com> Tue, 30 December 2008 23:28 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 23A8628C30D; Tue, 30 Dec 2008 15:28:21 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6D9D28C309 for <saag@core3.amsl.com>; Tue, 30 Dec 2008 15:28:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.193
X-Spam-Level:
X-Spam-Status: No, score=-1.193 tagged_above=-999 required=5 tests=[AWL=0.276, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id olGTcuf4ylDs for <saag@core3.amsl.com>; Tue, 30 Dec 2008 15:28:18 -0800 (PST)
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by core3.amsl.com (Postfix) with SMTP id 9A7B528C30D for <saag@ietf.org>; Tue, 30 Dec 2008 15:28:18 -0800 (PST)
Received: (qmail 29840 invoked from network); 30 Dec 2008 23:28:32 -0000
Received: from SChokhani@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 30 Dec 2008 23:28:32 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 30 Dec 2008 23:28:32 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Tue, 30 Dec 2008 18:28:07 -0500
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D4893657B@scygexch1.cygnacom.com>
In-Reply-To: <08bb01c96ac7$1cd5a750$5680f5f0$@com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [saag] Further MD5 breaks: Creating a rogue CA certificate
Thread-Index: AclqxboXk3PuIMY0SLuDtNKXm7F2qQAAEKtAAAQJILA=
References: <200812301605.mBUG5cKU027325@raisinbran.srv.cs.cmu.edu> <9535147E88DA266C69B983D0@atlantis.pc.cs.cmu.edu> <p0624081dc5802a331eac@[10.20.30.158]> <alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu> <08bb01c96ac7$1cd5a750$5680f5f0$@com>
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: Peter Hesse <pmhesse@geminisecurity.com>, RL 'Bob' Morgan <rlmorgan@washington.edu>, Paul Hoffman <paul.hoffman@vpnc.org>
Cc: ietf-pkix@imc.org, ietf-smime@imc.org, cfrg@irtf.org, saag@ietf.org
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

Peter,

Roots need not be replaced since they need protected migration and
storage.

Since the attack is computing pre-image, I suspect that past MD5
certificates are safe until the attack was devised.

-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Peter Hesse
Sent: Tuesday, December 30, 2008 4:40 PM
To: 'RL 'Bob' Morgan'; 'Paul Hoffman'
Cc: ietf-pkix@imc.org; ietf-smime@imc.org; saag@ietf.org; cfrg@irtf.org
Subject: RE: [saag] Further MD5 breaks: Creating a rogue CA certificate


Ceasing the issuance of certificates with MD5 used in the signature
doesn't
solve the problem of the certificates that have already been issued and
are
still out there, any number of which may be rogue.

Replacing, or marking as untrusted all root certificates which have any
current valid (i.e. non-expired, non-revoked) certificates with MD5 used
in
the signature could have tremendous undesirable impact and be an
untenable
solution.

The right tool for the job is a client-side solution to fail validation
of
any signature which uses MD5, especially certificate signatures.  I will
not
hold my breath for such a solution.

--Peter 

----------------------------------------------------------------
 Peter Hesse                       pmhesse@geminisecurity.com
 http://securitymusings.com         http://geminisecurity.com



-----Original Message-----
From: owner-ietf-smime@mail.imc.org
[mailto:owner-ietf-smime@mail.imc.org]
On Behalf Of RL 'Bob' Morgan
Sent: Tuesday, December 30, 2008 4:18 PM
To: Paul Hoffman
Cc: ietf-pkix@imc.org; ietf-smime@imc.org; saag@ietf.org; cfrg@irtf.org
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate



> Regardless of that, the authors of the MD5 paper are correct: trust 
> anchors signed with MD5 are highly questionable as of today (well, 
> actually, since they published their last paper). Hopefully, the 
> maintainers of the popular trust anchor repositories (Microsoft, 
> Mozilla, etc.) will yank out the trust anchors signed with MD5 (and 
> MD2!) as soon as possible.

This is a different claim than "CAs should stop issuing certs with MD5 
signatures", which is what I as an amateur take away from a quick scan
of 
the material.  Obviously MD5 is suspect in various ways, but does this
new 
work lead to the conclusion that MD5-signed roots are untrustworthy
today?
Replacing a root is a much bigger deal then changing signing practices.

  - RL "Bob"


_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email