Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

[Russ Housley <housley@vigilsec.com>]

Jeff:

>>http://www.win.tue.nl/hashclash/rogue-ca/
>>
>>MD5 considered harmful today
>>Creating a rogue CA certificate
>>
>>December 30, 2008
>>
>>Alexander Sotirov, Marc Stevens,
>>Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de
>>Weger
>>
>>We have identified a vulnerability in the Internet Public Key
>>Infrastructure (PKI) used to issue digital certificates for secure
>>websites. As a proof of concept we executed a practical attack scenario
>>and successfully created a rogue Certification Authority (CA) certificate
>>trusted by all common web browsers. This certificate allows us to
>>impersonate any website on the Internet, including banking and e-commerce
>>sites secured using the HTTPS protocol.
>>
>>Our attack takes advantage of a weakness in the MD5 cryptographic hash
>>function that allows the construction of different messages with the same
>>MD5 hash. This is known as an MD5 "collision". Previous work on MD5
>>collisions between 2004 and 2007 showed that the use of this hash
>>function in digital signatures can lead to theoretical attack scenarios.
>>Our current work proves that at least one attack scenario can be
>>exploited in practice, thus exposing the security infrastructure of the
>>web to realistic threats.
>
>
>This is a practical application of an approach that I remember being 
>brought up during discussions about MD5 at a saag meeting some time 
>ago.  I also recall someone mentioning at the time that many/most 
>CA's were already issuing certificates with random rather than 
>sequential serial numbers, which would have thwarted this particular attack.

RFC 5280 does not include this advice.  It is sound advice that was 
discussed in PKIX and other venues.  Perhaps a BCP is in order.

Russ

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag