[110334] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Brian Keefer)
Sat Jan 3 02:21:17 2009
From: Brian Keefer <chort@smtps.net>
To: Joe Greco <jgreco@ns.sol.net>
In-Reply-To: <200901022329.n02NTuj6063258@aurora.sol.net>
Date: Fri, 2 Jan 2009 23:20:52 -0800
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--Apple-Mail-2--743014563
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit
On Jan 2, 2009, at 3:29 PM, Joe Greco wrote:
>> * Joe Greco:
>>> It seems that part of the proposed solution is to get people to
>>> move from
>>> MD5-signed to SHA1-signed. There will be a certain amount of
>>> resistance.
>>> What I was suggesting was the use of the revocation mechanism as
>>> part of
>>> the "stick" (think carrot-and-stick) in a campaign to replace MD5-
>>> based
>>> certs. If there is a credible threat to MD5-signed certs, then
>>> forcing
>>> their retirement would seem to be a reasonable reaction, but
>>> everyone here
>>> knows how successful "voluntary" conversion strategies typically
>>> are.
>>
>> A CA statement that they won't issue MD5-signed certificates in the
>> future should be sufficient. There's no need to reissue old
>> certificates, unless the CA thinks other customers have attacked it.
>
> That would seem to be at odds with what the people who documented this
> problem believe.
I do not wish to be rude, so don't think that's my intent--however,
clarification is required here I believe.
From section 7 of http://www.win.tue.nl/hashclash/rogue-ca/ :
"An interesting question is whether CAs should revoke existing
certificates signed using MD5. One may argue that the present attack
scenario has in principle been possible since May 2007, and that
therefore all certificates (or all CA certificates) signed with MD5
that have been issued after this date may have been compromised.
Whether they really have been compromised is not relevant. What is
relevant is that the relying party who needs to trust the certificate
does not have a proper way of checking whether the certificate is to
be trusted or not. One may even argue that all older certificates
based on MD5 should be revoked, as for an attacker
constructing rogue certificates it is easy to backdate them to any
date in the past he likes, so any MD5-based certificate may be a
forgery. On the other hand, one may argue that the likelihood of these
scenarios is quite small, and that the cost of replacing many MD5-
based certificates may be substantial, so that therefore the risks of
continued use of existing MD5-based certificates may be seen as
acceptable. Regardless, MD5 should no longer be used for new
certificates."
Note that they aren't actually recommending that all certs with MD5
signatures be replaced. The authors present two sides of the
argument. The only absolute statement is that MD5 should not be used
to sign _new_ certificates.
This is because the attack doesn't allow the impersonation of the
vulnerable CA; the attack merely creates a new intermediate CA that
maintains the "chain of trust", so that certificates issued by the
rogue intermediate CA will be trusted by most browsers. The weakness
isn't that the vulnerable CA root certificate is signed by MD5, the
weakness is that it uses MD5 to sign CSRs. Since I'm probably not
explaining this very well, a picture is worth a thousand words: http://www.win.tue.nl/hashclash/rogue-ca/images/certificate4.png
Additionally, from second 8:
"Question. Are all digital certificates/signatures broken?
Answer. No. When digital certificates and signatures are based on
secure cryptographic hash functions, our work yields no reason to
doubt their security. Our result only applies when digital
certificates are signed using the hash function MD5, which is known to
be broken. With our method it is only possible to copy digital
signatures based on MD5 between two specially constructed digital
certificates. It is not possible to copy digital signatures based on
MD5 from digital certificates unless the certificates are specially
constructed. Even so, our result shows that MD5 is NOT suited for
digital signatures. Certification Authorities should stop using the
known broken MD5 and move to the widely available, more secure
alternatives, such as SHA-2."
and
"Question. What should websites do that have digital certificates
signed with MD5?
Answer. Nothing at this point. Digital certificates legitimately
obtained from all CAs can be believed to be secure and trusted, even
if they were signed with MD5. Our method required the purchase of a
specially crafted digital certificate from a CA and does not affect
certificates issued to any other regular website."
My apologies if you were commenting on some other aspect, or if my
understand is in some way flawed.
--
bk
CA cert: http://www.smtps.net/pub/smtps-dot-net-ca-2.pem
--Apple-Mail-2--743014563
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIICxDCCAsAw
ggIpAgkAxtRyYjIWj0wwDQYJKoZIhvcNAQEFBQAwgaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTESMBAGA1UEChMJU01UUFMubmV0MR0wGwYD
VQQLExRJbmZvcm1hdGlvbiBTZWN1cml0eTEYMBYGA1UEAxQPU01UUFMubmV0IENBICMyMR4wHAYJ
KoZIhvcNAQkBFg9hZG1pbkBzbXRwcy5uZXQwHhcNMDgxMDIzMTgwOTIxWhcNMTgxMDIxMTgwOTIx
WjCBojELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENs
YXJhMRIwEAYDVQQKEwlTTVRQUy5uZXQxHTAbBgNVBAsTFEluZm9ybWF0aW9uIFNlY3VyaXR5MRUw
EwYDVQQDEwxCcmlhbiBLZWVmZXIxHjAcBgkqhkiG9w0BCQEWD2Nob3J0QHNtdHBzLm5ldDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvQRcsZtKlL+YfHBHSfVHOloPRKakA/v5MU0JN3Bc2hvT
ZgDn74IE8XWYvCoEOtpfN1wSVfwwzJAwHlBTdB6+2DNBpwPlZ/nZwd2W4+moWSXsv2IzfvU970Mz
DBjUuK5hUZROTmiBO/v0xBeTH/nP3+OVJcIAFIOLvo4Omp0upssCAwEAATANBgkqhkiG9w0BAQUF
AAOBgQAxED9V4Yjb+nRAbRq3LnLi6bz4RRLZ6rMntugApYRWzDsB1AHnobbUic+6K3YAXXPwbE41
AAfG99Gc4t8Kwm0WFb+MC6CaEghnyceXWZiJFCuJjik7EGROjjFtqVurqVhIxSswTmnqeF3zqDRy
vfR5XaoPPoSyqWJbK0hZmOAXeTGCA0swggNHAgEBMIGzMIGlMQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExEjAQBgNVBAoTCVNNVFBTLm5ldDEd
MBsGA1UECxMUSW5mb3JtYXRpb24gU2VjdXJpdHkxGDAWBgNVBAMUD1NNVFBTLm5ldCBDQSAjMjEe
MBwGCSqGSIb3DQEJARYPYWRtaW5Ac210cHMubmV0AgkAxtRyYjIWj0wwCQYFKw4DAhoFAKCCAe0w
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDkwMTAzMDcyMDUzWjAj
BgkqhkiG9w0BCQQxFgQU5a65ETYjarBXRJM5kgGtAUax0h8wgcQGCSsGAQQBgjcQBDGBtjCBszCB
pTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJh
MRIwEAYDVQQKEwlTTVRQUy5uZXQxHTAbBgNVBAsTFEluZm9ybWF0aW9uIFNlY3VyaXR5MRgwFgYD
VQQDFA9TTVRQUy5uZXQgQ0EgIzIxHjAcBgkqhkiG9w0BCQEWD2FkbWluQHNtdHBzLm5ldAIJAMbU
cmIyFo9MMIHGBgsqhkiG9w0BCRACCzGBtqCBszCBpTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMRIwEAYDVQQKEwlTTVRQUy5uZXQxHTAbBgNV
BAsTFEluZm9ybWF0aW9uIFNlY3VyaXR5MRgwFgYDVQQDFA9TTVRQUy5uZXQgQ0EgIzIxHjAcBgkq
hkiG9w0BCQEWD2FkbWluQHNtdHBzLm5ldAIJAMbUcmIyFo9MMA0GCSqGSIb3DQEBAQUABIGAMpmF
10jzMOKWXFkDWbbwDt3NldSeaXHfE4Sh5oiJMnIntUbM/v95iXiKp0HjdwQjWAecU3x6xqGVThKh
hzKj5TjkaR5E5jhbaheHLGDfR98pDvHJZEBlMfSqJhlD3PhFwTj1DoM/6iPtiWiYV56AQjetDWka
w1irg7484I1/RDYAAAAAAAA=
--Apple-Mail-2--743014563--
