IETF Logo Mail Archive

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

"Santosh Chokhani" <SChokhani@cygnacom.com> Wed, 31 December 2008 19:14 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 54DE73A69AC; Wed, 31 Dec 2008 11:14:49 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A9413A69AC for <saag@core3.amsl.com>; Wed, 31 Dec 2008 11:14:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.429
X-Spam-Level:
X-Spam-Status: No, score=-1.429 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GcztY-TAdIZU for <saag@core3.amsl.com>; Wed, 31 Dec 2008 11:14:47 -0800 (PST)
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by core3.amsl.com (Postfix) with SMTP id 154903A696F for <saag@ietf.org>; Wed, 31 Dec 2008 11:14:46 -0800 (PST)
Received: (qmail 4789 invoked from network); 31 Dec 2008 19:14:59 -0000
Received: from SChokhani@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 31 Dec 2008 19:14:59 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 31 Dec 2008 19:14:59 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Wed, 31 Dec 2008 14:14:35 -0500
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D489365D7@scygexch1.cygnacom.com>
In-Reply-To: <45c8c21a0812310941v4469114ctdbe284ea0cbc6d35@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate
Thread-Index: AclrbxGYQEV5PuJJS2Ozj2K2iPFeGAADBZ0w
References: <E1LHplH-0006Xw-V6@wintermute01.cs.auckland.ac.nz><7E552E3F-C85A-4F0E-AC3E-879720A1E55F@extremenetworks.com> <45c8c21a0812310941v4469114ctdbe284ea0cbc6d35@mail.gmail.com>
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: Richard Graveman <rfgraveman@gmail.com>
Cc: cfrg@irtf.org, saag@ietf.org
Subject: Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

Rich,

As your private e-mail states that item 4 below you see as most
dangerous.

That is not so.

The self-signed root and hash used to sign that root is not relevant to
security since the signature on self-signed certificates is gratuitous.

We do not want the community to undertake a major effort that is not
required at all and does nothing for security.

That said, one of the techniques (which is not a standardized one, but a
commercial practice) is to provide hash of the root certificate in a
secure out of band (e.g., manually) to verify the roots.  This mechanism
to compute the hash on the entire signed root certificate for out of
band trust establishment should be at least SHA-1 today and changed when
SHA-256 or new hash are widely deployed on the clients.  

-----Original Message-----
From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of
Richard Graveman
Sent: Wednesday, December 31, 2008 12:42 PM
To: RJ Atkinson
Cc: cfrg@irtf.org; saag@ietf.org
Subject: Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue
CAcertificate

Ran,

> It would be very helpful if a *set* of mathematicians/cryptographers
> could jointly put together a summary of the known attacks on all
> the widely used hash algorithms (e.g. MD2, MD4, MD5, SHA-0, SHA-1,
> SHA-2, others), *including references to the published literature*.

For an expert, authoritative, and incredibly up-to-date tutorial on
the state of hash functions, go to http://www.inscrypt.cn/, get the
invited talks, and see the one by Preneel. If the intro material is
boring, flip to slide 45 and start reading. No, MD5 and SHA-1 are not
quite in the same boat.

For full papers, see IACR eprints 2008/391 for MD5, 2008/469 for
SHA-1, and 2006/187 for HMAC with these. Follow the references
therein. I avoided sources that cost money to get to, etc.

Unfortunately, the ways cryptologists look at these things and the
ways the IETF uses them are not always the same, so there is more work
to do. Suffice it to say, for a start, there is a big difference
between, say:

1. An HMAC based on a fresh key used by IPsec of TLS for a few minutes.
2. An HMAC based on a key stuck in a router and keft there for months or
years.
3. A hash used to sign an email.
4. A hash use to sign a root certificate.

Rich Graveman
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email