Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

Jeffrey Hutzelman <jhutz@cmu.edu> Tue, 30 December 2008 18:34 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 22EFC3A6994; Tue, 30 Dec 2008 10:34:03 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7BC083A6805 for <saag@core3.amsl.com>; Tue, 30 Dec 2008 10:34:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.872
X-Spam-Level:
X-Spam-Status: No, score=-5.872 tagged_above=-999 required=5 tests=[AWL=0.727, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id djIlK0N44qCD for <saag@core3.amsl.com>; Tue, 30 Dec 2008 10:34:01 -0800 (PST)
Received: from chokecherry.srv.cs.cmu.edu (CHOKECHERRY.SRV.CS.CMU.EDU [128.2.185.41]) by core3.amsl.com (Postfix) with ESMTP id 647383A6994 for <saag@ietf.org>; Tue, 30 Dec 2008 10:34:01 -0800 (PST)
Received: from atlantis-home.pc.cs.cmu.edu (ATLANTIS-HOME.PC.CS.CMU.EDU [128.2.184.185]) (authenticated bits=0) by chokecherry.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id mBUIXkTS014008 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Dec 2008 13:33:47 -0500 (EST)
Date: Tue, 30 Dec 2008 13:33:46 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Russ Housley <housley@vigilsec.com>, ietf-pkix@imc.org, ietf-smime@imc.org, saag@ietf.org, cfrg@irtf.org
Message-ID: <9535147E88DA266C69B983D0@atlantis.pc.cs.cmu.edu>
In-Reply-To: <200812301605.mBUG5cKU027325@raisinbran.srv.cs.cmu.edu>
References: <200812301605.mBUG5cKU027325@raisinbran.srv.cs.cmu.edu>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.185.41
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

--On Tuesday, December 30, 2008 11:05:28 AM -0500 Russ Housley 
<housley@vigilsec.com> wrote:

> http://www.win.tue.nl/hashclash/rogue-ca/
>
> MD5 considered harmful today
> Creating a rogue CA certificate
>
> December 30, 2008
>
> Alexander Sotirov, Marc Stevens,
> Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de
> Weger
>
> We have identified a vulnerability in the Internet Public Key
> Infrastructure (PKI) used to issue digital certificates for secure
> websites. As a proof of concept we executed a practical attack scenario
> and successfully created a rogue Certification Authority (CA) certificate
> trusted by all common web browsers. This certificate allows us to
> impersonate any website on the Internet, including banking and e-commerce
> sites secured using the HTTPS protocol.
>
> Our attack takes advantage of a weakness in the MD5 cryptographic hash
> function that allows the construction of different messages with the same
> MD5 hash. This is known as an MD5 "collision". Previous work on MD5
> collisions between 2004 and 2007 showed that the use of this hash
> function in digital signatures can lead to theoretical attack scenarios.
> Our current work proves that at least one attack scenario can be
> exploited in practice, thus exposing the security infrastructure of the
> web to realistic threats.


This is a practical application of an approach that I remember being 
brought up during discussions about MD5 at a saag meeting some time ago.  I 
also recall someone mentioning at the time that many/most CA's were already 
issuing certificates with random rather than sequential serial numbers, 
which would have thwarted this particular attack.

-- Jeff
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag