Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
"Peter Hesse" <pmhesse@geminisecurity.com> Mon, 05 January 2009 06:54 UTC
Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 51ACD28C136; Sun, 4 Jan 2009 22:54:29 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 010F93A6982 for <saag@core3.amsl.com>; Fri, 2 Jan 2009 06:41:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.498
X-Spam-Level:
X-Spam-Status: No, score=-2.498 tagged_above=-999 required=5 tests=[AWL=0.101, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NcU1Ax-o72n1 for <saag@core3.amsl.com>; Fri, 2 Jan 2009 06:41:40 -0800 (PST)
Received: from prospect.joyent.us (prospect.joyent.us [8.12.36.36]) by core3.amsl.com (Postfix) with ESMTP id 51D693A6968 for <saag@ietf.org>; Fri, 2 Jan 2009 06:41:40 -0800 (PST)
Received: from PeterVistaSP1 (static-68-163-72-26.res.east.verizon.net [68.163.72.26]) by prospect.joyent.us (Postfix) with ESMTPSA id CBF81A2746; Fri, 2 Jan 2009 14:41:17 +0000 (GMT)
From: Peter Hesse <pmhesse@geminisecurity.com>
To: 'Mike' <mike-list@pobox.com>, ietf-pkix@imc.org
References: <495BA5E9.8040305@pobox.com><E1LILYj-00066V-WE@wintermute01.cs.auckland.ac.nz> <1b587cab0901010706j6e8cd2f8pf23345660a4825a5@mail.gmail.com> <FAD1CF17F2A45B43ADE04E140BA83D489365F0@scygexch1.cygnacom.com> <495CE68A.5040709@pobox.com>
In-Reply-To: <495CE68A.5040709@pobox.com>
Date: Fri, 02 Jan 2009 09:41:15 -0500
Message-ID: <0c6f01c96ce8$2c13d700$843b8500$@com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AclsKjT6Oz0PcIiFQN+3Ed6VEEQeYAAvNWMA
Content-Language: en-us
X-Mailman-Approved-At: Sun, 04 Jan 2009 22:54:23 -0800
Cc: ietf-smime@imc.org, cfrg@irtf.org, saag@ietf.org
Subject: Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org
> Is there anything that could be added to RP software to reliably > detect and thwart the use of a rogue CA certificate? Or would > any attempt to do that just cause too many problems? Since MD5 is known bad and potentially dangerous at this point, I would suggest that the best client side action would be to fail to verify any signatures created using MD5. This will break some things, especially if existing business processes are relying on a certificate signed with MD5. However, it is a fail-safe and would prevent a rogue CA certificate created in this fashion from being considered trustworthy. And to Santosh's point (and others), my earlier email about removing/replacing trust anchors was not because the self-signed certificates are signed using MD5; I agree the trust anchor public keys are protected using other mechanisms. I am recommending that if CAs do nothing to prevent this kind of attack (non-random serial numbers, issue certificates signed with MD5, issue certificates in an automated, predictable fashion) that those CAs should be removed from trust lists because they are no longer acting in the interest of the relying party--they are an accomplice to the creation of these rogue certificates. --Peter ---------------------------------------------------------------- Peter Hesse pmhesse@geminisecurity.com http://securitymusings.com http://geminisecurity.com _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
- [saag] Further MD5 breaks: Creating a rogue CA ce… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Eric Rescorla
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Yoav Nir
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Nicolas Williams
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Hugo Krawczyk
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… RJ Atkinson
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Vishwas Manral
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … RJ Atkinson
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] RFC analyzing IETF use of hash functio… Sean Shen
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Robert Moskowitz
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Sean Shen
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… RL 'Bob' Morgan
- Re: [saag] Further MD5 breaks: Creating a rogue C… Peter Hesse
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Blake Ramsdell
- Re: [saag] Further MD5 breaks: Creating a rogue C… Scott Rea
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] Further MD5 breaks: Creating a rogue C… Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Tim Moses
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Richard Graveman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Dr Stephen Henson
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] Further MD5 breaks: Creating a rogue C… Philipp Guehring
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Hesse
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Weger, B.M.M. de
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] Further MD5 breaks: Creating a rogue C… der Mouse
- Re: [saag] Further MD5 breaks: Creating a rogue C… RJ Atkinson
- [saag] attacks on keyed-hash constructions [was: … David McGrew
- Re: [saag] attacks on keyed-hash constructions [w… RJ Atkinson
- [saag] RFC analyzing IETF use of hash functions [… David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Paul Hoffman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Vishwas Manral
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Stephen Kent
- Re: [saag] RFC analyzing IETF use of hash functio… Sean Turner
- Re: [saag] RFC analyzing IETF use of hash functio… David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … David McGrew
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] attacks on keyed-hash construct… Christian Rechberger
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Ran Canetti
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Joseph Salowey (jsalowey)