IETF Logo Mail Archive

Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

Scott Rea <Scott.Rea@Dartmouth.edu> Mon, 05 January 2009 06:54 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31A0C28B56A; Sun, 4 Jan 2009 22:54:25 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C328E3A6835 for <saag@core3.amsl.com>; Tue, 30 Dec 2008 14:31:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nphNvrPMje2x for <saag@core3.amsl.com>; Tue, 30 Dec 2008 14:31:31 -0800 (PST)
Received: from mailhub2.dartmouth.edu (mailhub2.dartmouth.edu [129.170.17.107]) by core3.amsl.com (Postfix) with ESMTP id CE2803A67F0 for <saag@ietf.org>; Tue, 30 Dec 2008 14:31:30 -0800 (PST)
Received: from newdasher.Dartmouth.EDU (newdasher.dartmouth.edu [129.170.208.30]) by mailhub2.dartmouth.edu (8.13.5/DND2.0/8.13.5) with ESMTP id mBULqtr9007948 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Dec 2008 17:30:44 -0500
X-Disclaimer: This message was received from outside Dartmouth's BlitzMail system.
Received: from c-65-96-146-181.hsd1.nh.comcast.net [65.96.146.181] by newdasher.Dartmouth.EDU (Mac) via SMTP for id <138927721>; 30 Dec 2008 17:30:43 -0500
Message-ID: <495AA0F6.7060604@Dartmouth.edu>
Date: Tue, 30 Dec 2008 17:30:14 -0500
From: Scott Rea <Scott.Rea@Dartmouth.edu>
User-Agent: Thunderbird 2.0.0.18 (Windows/20081105)
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>
References: <200812301605.mBUG5cKU027325@raisinbran.srv.cs.cmu.edu> <9535147E88DA266C69B983D0@atlantis.pc.cs.cmu.edu> <p0624081dc5802a331eac@[10.20.30.158]> <alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu> <200812302217.mBUMH7XD040595@balder-227.proper.com>
In-Reply-To: <200812302217.mBUMH7XD040595@balder-227.proper.com>
X-MailScanner: Found to be clean by mailhub.Dartmouth.EDU
X-MailScanner-SpamCheck: spam, SpamAssassin on mailhub2 (score=1.651, required 1, BAYES_00 -2.60, BLITZ_DISCLAIMER 0.05, HELO_DYNAMIC_IPADDR 4.20)
X-MailScanner-SpamScore: s
X-MailScanner-From: scott.rea@dartmouth.edu
X-Mailman-Approved-At: Sun, 04 Jan 2009 22:54:23 -0800
Cc: cfrg@irtf.org, ietf-smime@imc.org, saag@ietf.org, ietf-pkix@imc.org
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

Russ Housley wrote:
>
>
>>> Regardless of that, the authors of the MD5 paper are correct: trust 
>>> anchors signed with MD5 are highly questionable as of today (well, 
>>> actually, since they published their last paper). Hopefully, the 
>>> maintainers of the popular trust anchor repositories (Microsoft, 
>>> Mozilla, etc.) will yank out the trust anchors signed with MD5 (and 
>>> MD2!) as soon as possible.
>>
>> This is a different claim than "CAs should stop issuing certs with 
>> MD5 signatures", which is what I as an amateur take away from a quick 
>> scan of the material.  Obviously MD5 is suspect in various ways, but 
>> does this new work lead to the conclusion that MD5-signed roots are 
>> untrustworthy today?
>
> We recommended a migration (walk, don't run) away from MD2, MD4, and 
> SHA-1 toward SHA-256 a few years ago.  MD2 and MD4 generate 128 bit 
> hash values; even without the attacks, these are getting to be too 
> small.  SHA-1 has been shown to be weaker than its design goal, and 
> the 160 bit hash value will be getting too short in a couple of 
> years.  We recommended SHA-256 while fully recognizing that NIST was 
> starting a hash competition, and that we might recommend the winner of 
> that competition as the successor to SHA-256.
>
> I still strongly encourage the migration to SHA-256.
>
> The use of the random bits in the serial number are insurance against 
> similar problems being found in other hash functions.  This insurance 
> will hopefully provide time to migrate to another hash function when 
> cryptanalysis begins to show flaws in any future hash function.
>
> Russ

But one of the things that has kept the brakes on migration has been 
support in clients for SHA256 - the largest vendor of client machines 
only just recently added SHA256 to its XP platform (if you upgrade to 
SP3). I keep running into folks using OpenSSL as their crypto base and 
they haven't updated to a distribution that supports SHA256. I think it 
will take a little more time before it becomes the default...

-- 
Scott Rea


_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email