[141461] in cryptography@c2.net mail archive
Steve Bellovin on the MD5 Collision attacks, more on Wired
daemon@ATHENA.MIT.EDU (David G. Koontz)
Tue Dec 30 19:11:16 2008
Date: Wed, 31 Dec 2008 09:11:09 +1300
From: "David G. Koontz" <david_koontz@xtra.co.nz>
To: 'Cryptography' <cryptography@metzdowd.com>
http://www.cs.columbia.edu/~smb/blog//2008-12/2008-12-30.html
Steve mentions the social pressures involved in disclosing the vulnerabil=
ity:
Verisign, in particular, appears to have been caught short. One of the CA=
s
they operate still uses MD5. They said:
The RapidSSL certificates are currently using the MD5 hash function
today. And the reason for that is because when you're dealing with
widespread technology and [public key infrastructure] technology, you h=
ave
phase-in and phase-out processes that cane take significant periods of
time to implement.
...
[4 years?]
Legal pressure? Sotirov and company are not "hackers"; they're respected
researchers. But the legal climate is such that they feared an injunction=
=2E
Nor are such fears ill-founded; others have had such trouble. Verisign is=
n't
happy: "We're a little frustrated at Verisign that we seem to be the only=
people not briefed on this". But given that the researchers couldn't know=
how Verisign would react, in today's climate they felt they had to be cau=
tious.
This is a dangerous trend. If good guys are afraid to find flaws in field=
ed
systems, that effort will be left to the bad guys. Remember that for
academics, publication is the only way they're really "paid". We need a
legal structure in place to protect security researchers. To paraphrase a=
n
old saying, security flaws don't crack systems, bad guys do.
--
The researchers provided information under NDA to browser manufacturers a=
nd
Microsoft contacted Verisign providing no real details
(http://blog.wired.com/27bstroke6/2008/12/berlin.html , the Wired article=
=2E):
Callan confirms Versign was contacted by Microsoft, but he says the NDA
prevented the software-maker from providing any meaningful details on the=
threat. "We're a little frustrated at Verisign that we seem to be the onl=
y
people not briefed on this," he says.
The researchers expect that their forged CA certificate will be revoked b=
y
Verisign following their talk, rendering it powerless. As a precaution, t=
hey
set the expiration date on the certificate to August 2004, ensuring that =
any
website validated through the bogus certificate would generate a warning
message in a user's browser.
---
The 2007 paper http://www.win.tue.nl/hashclash/EC07v2.0.pdf
Chosen-prefix Collisions for MD5 and Colliding X.509 Certificates for Dif=
ferent
Identities, Marc Stevens , Arjen Lenstra , and Benne de Weger
(also from the Wired article)
--
Nate Lawson's comments
http://rdist.root.org/2008/12/30/forged-ca-cert-talk-at-25c3/
To paraphrase Gibson, =93Crypto security is available already, it just is=
n=92t
equally distributed.=94
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
