CCC Create a Rogue CA Certificate

t3rmin4t0r writes "Just when you were breathing easy about Kaminsky, DNS and the word hijacking, by repeating the word SSL in your head, the hackers at CCC were busy at work making a hash of SSL certificate security. Here's the scoop on how they set up their own rogue CA, by (from what I can figure) reversing the hash and engineering a collision up in MD5 space. Until now, MD5 collisions have been ignored because nobody would put in that much effort to create a useful dummy file, but a CA certificate for phishing seems juicy enough to be fodder for the botnets now."

Alright this Internet is ruined

Let's go make a new one.

Re:Alright this Internet is ruined

[plover]

I wonder how broken the intarwebs would be to me if I simply deleted all the MD5-based root certificates from my box? Would I even notice?

Re:Alright this Internet is ruined

[Alrescha]

"I wonder how broken the intarwebs would be to me if I simply deleted all the MD5-based root certificates from my box? Would I even notice?"

I think a better idea would be to simply delete all the certificates from your box (CA certs included!). Then start marking individual web certs as trusted after you inspect them yourself.

A.

Re:Alright this Internet is ruined

Pourquoi la mère après la baisse modérée? Il est dommage que la modération est comprise Slashdot vers le peuple français.

Re:Alright this Internet is ruined

[neoform]

Will there be blackjack and hookers?

Re:Alright this Internet is ruined

Merda mesmo é ficar ai falando em francês. Já que é pra sacanear, vai ficar curioso e não vai entender porra nenhuma do que eu to escrevendo.

Re:Alright this Internet is ruined

Ce que vous pensez est des moutons merde.... c'est vraiment Tasty Wheat.

Re:Alright this Internet is ruined

I think it needs a little salt. After that, it should be okay. People nowadays. "Waste not, want not" my grandmother used to say.

Re:Alright this Internet is ruined

Will there be blackjack and hookers?

Yes, but all the men on the other end of the connection will be more evident. I'd bring some air freshener if I were you.

Re:Alright this Internet is ruined

[MyHair]

I'm considering this myself. I'm wondering if there's a way for me to sign approved certificates or otherwise whitelist certs. Eh, it would probably be easier to mark individual web certs. From how many PCs do I need to access my important secure web sites, anyway?

Re:Alright this Internet is ruined

[cbiltcliffe]

Wouldn't the salt have to be public, in order for the legitimate CA certs to work?

Or if the salt was private, wouldn't you still be able to engineer an MD5 collision in the same way, without said salt?

And if the salt was required, wouldn't it be available in the source of any of the dozens of open source browsers out there?

And have we, yet again, proven that security by obscurity doesn't work?

Re:Alright this Internet is ruined

[vux984]

And have we, yet again, proven that security by obscurity doesn't work?

Salt really has nothing to do with security by obscurity.

Salt has everything to do with preventing dictionary attacks using precomputed hashes of a gazillion passwords.

Salt, done well, is generated randomly for each password. That way you need to attack each password in the database separately.

The problem here is that they are brute forcing collisions; and have the resources and motivation to do it.

Re:Alright this Internet is ruined

i didn't know twitter knew French

Re:Alright this Internet is ruined

[Ed+Avis]

What about if a patched version of the crypto libraries deliberately fouled up the calculation of MD5 hashes (say, by returning random data), so you could be sure that you weren't depending on this weak algorithm?

Re:Alright this Internet is ruined

[PAjamian]

If you RTFA you'll note that there is only one known CA that is really vulnerable to this attack, RapidSSL (and also FreeSSL which is part of RapidSSL). This is due to the necessary timing of the validity period and the sequential serial numbers used by the CA.

Also of note is that it doesn't matter what encryption was used to sign the root cert, what matters is the type of encryption that the vulnerable CA uses to sign *your* cert. The CA's certificate could be signed with MD5, SHA1 or anything, really.

Re:Alright this Internet is ruined

[ka9cql]

It doesn't matter whether MD5 was used by the root certificates, or not. The issue is that the attackers injected themselves within your web browser's chain-of-trust, not that they utilized MD5 (or any other algorithm) to achieve this position. This group was able to anticipate and thereby "control" various CA-generated aspects of a digital certificate that they were eventually able to purchase. By carefully crafting a particular certificate - presumably for a domain which they have some reasonable responsibility or control - they could cause the CA to sign a new certificate with an MD5 hash that has an advantageous value. They then copied this hash value (and various other pieces of their new certificate) into a second certificate, forged to look like it's for a website that they presumably DO NOT have any responsibility or control. Because of their careful pre-planning, they were assured that the copied-over certificate's hash value would exactly match that of the certificate that they were (more or less) legitimately issued by the CA. This has the effect of fooling your browser into believing that their "bogus" certificate was, in fact, legit. The really nice twist to all this, IMHO, is that they though to make the new certificate ANOTHER, TRUSTED, CERTIFICATE AUTHORITY!! That was pure genius! Once they did that, they could then turn right around and sign as many certificates as their hearts desired, all of which would be blindly trusted by your web browser. Nice piece of work!

Re:Alright this Internet is ruined

[ka9cql]

Another point of this research was that no human being can, just by looking at a digital certificate, itself, can know whether it is a real certificate or a fake one.

In fact, the researchers did not provide a revocation-checking URL in their original certificate-signing request. This means that most tools (including your web browser) would not have a way of checking whether their bogus certificate had been revoked by the original certificate's CA, even if they ever found out that their legit certificate had been used for other purposes (based solely upon the cert's serial number).

Re:Alright this Internet is ruined

[Lord+Ender]

I think a better idea would be to simply delete all the certificates from your box (CA certs included!). Then start marking individual web certs as trusted after you inspect them yourself.

"Honey, did you order those tickets yet?"

"Hold on! I'm reading through their certificate issuer's published policy documents. I think I am going to have to audit their CA systems on-site before I can connect to this website."

Re:Alright this Internet is ruined

[Bostik]

I quote the team from memory (I just returned from CCC):

Removing or disabling all certificates where a MD5 signature was used somewhere in the chain (or was that just for those that had intermediate CA's signed with MD5? - anyhow...), would cripple approximately 30% of the entire internet.

Re:Alright this Internet is ruined

[Tumbleweed]

Let's go make a new one.

We will go with Internet Emergency Plan A: Move the Internet 10 miles down the road. Done and done!

Re:Alright this Internet is ruined

[johny42]

If you RTFA you'll also note that the only one known CA that is really vulnerable to this attack fixed it the next day.

Re:Alright this Internet is ruined

[cbiltcliffe]

But salt for a CA cert verification method would have to be the same for each cert, or public, wouldn't it?
And either way, it's useless for the way that salt is used for password hashes in /etc/shadow or the like.

I'm not much on the inner workings of PKI yet, so I'm really asking a legitimate question here.

Re:Alright this Internet is ruined

[vux984]

But salt for a CA cert verification method would have to be the same for each cert, or public, wouldn't it?

Yes.

And either way, it's useless for the way that salt is used for password hashes in /etc/shadow or the like.

More or less, yes. Its not 'useless' per se, but since they are attacking a given cert specifically anyway, salt doesn't really add anything.

The original poster who suggested salt in the first place didn't know what they were talking about.

Re:Alright this Internet is ruined

[PAjamian]

You're referring to an update of the article dated December 31st. My post above was dated December 30th and was fully correct as of the date of posting.

rogue not

http://dictionary.reference.com/browse/rouge

Re:rogue not

[cbiltcliffe]

No, no, no. The 'rouge' is referring to the face colour and embarrassment of the legit CAs when it turns out that they're issuing SSL certs to www.we-will-hack-you-good.com

Rouge CA?

[realmolo]

I prefer teal CAs, myself. Or possibly burnt sienna CAs. Sometimes fuschia CAs.

It's ROGUE you dumbass.

Re:Rouge CA?

[Daimanta]

It could be a rogue communist CA. That way, they're both!

Re:Rouge CA?

[Dagvl]

Well, the rogue certificates were red in the diagrams, so using "rouge CA" in the summary has some backing :)

Re:Rouge CA?

The commies are creating their own CA!! PANIC!!!

Could be worse.... Canadians create their own CA? ;)

Re:Rouge CA?

[nsushkin]

I prefer teal CAs, myself. Or possibly burnt sienna CAs. Sometimes fuschia CAs.

It's ROGUE you dumbass.

Surely you meant FUCHSIA

Re:Rouge CA?

Ah, that brings to mind the immortal words of Bart Simpson's ballet teacher: "Now put on this fuchsia-tard, you're a fairy!"

Re:Rouge CA?

[supernova_hq]

I both self sign a CA and manage a .ca you insensitive clod!

Re:You know what I hate?

[Ractive]

Dude this has got to be the most offtopic comment ever

from the ... dept?

[TypoNAM]

Oh noes! What department of Slashdot did this article come from? Its the end of the world as we know it! ;)

Re:from the ... dept?

[DoofusOfDeath]

Oh noes! What department of Slashdot did this article come from? ...

Hold on - I'll check the signature.

Re:from the ... dept?

[Tei]

One where you think "OH NOES"... and forgot to add a dept. :-/

Re:from the ... dept?

[TypoNAM]

I hate replying to myself, but if anybody hasn't noticed that CmdrTaco has been trying to tell us something and by this article he has apparently given up:

Alan Cox Leaves Red Hat
Posted by CmdrTaco on 10:11 AM -- Tuesday December 30 2008
from the bet-wherrever-he's-going-he'll-have-electricity-and-heat dept.

The Fight Over NASA's Future
Posted by CmdrTaco on 08:15 AM -- Tuesday December 30 2008
from the still-no-power-at-my-house dept.

Storm Causes AT&T Outage Across Midwest
Posted by CmdrTaco on 08:55 AM -- Monday December 29 2008
from the guess-who-this-includes dept.

So he's without power and worse no internet at his home, aww poor CmdrTaco. Somebody please think of the slashdot editors! Anybody got a spare generator and fuel? ;)

Re:from the ... dept?

[MBCook]

Let's put up a poll to see what we can all do!

• I'll put Taco up at my place
• I'll donate some food
• I'll donate some fuel
• I'll donate some CPU time
• Taco is a big boy, he can help himself

Re:from the ... dept?

[Chelloveck]

Huh. Last I knew, Taco lived not too far from me (Dexter, MI). I hadn't heard of any persistent power outages around here, though we did have a nasty wind storm over the past couple days. Could be something as localized as the line that feeds his house. Or maybe...

Hey, Cmdr Taco! Go downstairs and check your breakers!

Re:from the ... dept?

[AmberBlackCat]

Just unblock Alexa. I doubt it will be as bad as Slashdotters think.

Re:from the ... dept?

[jeffmeden]

What's he doing at home, anyway? Go to work, you lazy git! They have power, heat, and internet there (if it's anything like where I work.)

Re:from the ... dept?

Can I say it? I will say it... Oh my god we are all going to die!!!

Re:from the ... dept?

[TheoMurpse]

You forgot "Taco and CowboyNeal spoon for warmth"

Re:from the ... dept?

[geekmux]

So he's without power and worse no internet at his home, aww poor CmdrTaco. Somebody please think of the slashdot editors! Anybody got a spare generator and fuel? ;)

Ah, is it just me, or is anyone else wondering what magic uberg33k dust he's using to power his hardware and post these messages in what appears to be a massive power outage?

For a man looking for food and fuel, he sure does have a shitload warstock of fully-charged laptop batteries and solar-powered cable modems.

(Copyright 2008 Captain-Not-So-Obvious, Inc.)

Re:from the ... dept?

[Tubal-Cain]

Downstairs? Are there sub-basements where you live?

Re:from the ... dept?

[nutznboltz]

off by nine years

Re:from the ... dept?

I hate replying to myself, but if anybody hasn't noticed that CmdrTaco has been trying to tell us something and by this article he has apparently given up:

not yet.

    Posted by CmdrTaco on Wednesday December 31, @09:01AM
from the i-remember-what-heat-felt-like dept.

    Posted by CmdrTaco on Wednesday December 31, @10:04AM
from the i-bet-a-bricked-zune-is-still-warm dept.

    Posted by CmdrTaco on Wednesday December 31, @11:08AM
from the bet-they-have-power-in-the-upper-penninsula dept.

    Posted by CmdrTaco on Wednesday December 31, @12:05PM
from the do-these-mice-work-frozen-with-no-power-screw-you-dte dept.

Rouge CA?

[Bert64]

The commies are creating their own CA!! PANIC!!!

Why trust the PKI?

[characterZer0]

Why does your bank not give you a compact disc with their public key on it when you sign up for an account?

Re:Why trust the PKI?

[nurb432]

Or a usb key :)

Re:Why trust the PKI?

[Nursie]

Sounds like a great plan to me. Plus have a "Use only my bank's CA" mode built into your browser so you know damn well it's them and nobody else.

Re:Why trust the PKI?

[Nursie]

Sorry to self reply but.... on top of that we should all switch away from MD5 anyway.

Re:Why trust the PKI?

[fastest+fascist]

Using that would probably be more hassle than your average user is willing to put up with. A bigger wtf is, in my opinion: Do so many banking services really rely on a single login/pass combo per user for authentication? When banking security comes up here, I see people worry about having their login+pass revealed, which makes me think that's the only verification their banks use.

My bank at least also uses a one-time pad system, namely a numbered list of 100 pre-generated codes. So I log in using a username and pass, and then to actually do something with the on-line banking system I'm asked to provide the code that relates to a randomly chosen number between 0000 and 0099. A code can only be used once. So basically if the phishing site manages to get hold of a few numbers from a user's passcode list, the chances are still pretty slim they'll be able to do anything with them.

Of course, if they scam hundreds of people, they will get a few successes, but not very many.

Re:Why trust the PKI?

[YouWantFriesWithThat]

shit, they could put the browser right on the usb drive and only allow online banking through their locked down browser on the drive.

Re:Why trust the PKI?

[plover]

Better yet, why don't they give you a smart card containing their certificate, your secret key, and provide your key encryption functions? The U.S. Army does something similar to this today -- their ID cards contain private keys for the personnel. (Unfortunately, adding the CA certificate needed to trust the card is a tedious process.)

Re:Why trust the PKI?

[wsanders]

Actually, if you look in your Firefox built-in CA's, Wells Fargo has a couple of entries in there. I don't know *how* they got in there, of whether they work, but it looks like some kind of experiment in that direction.

Of course I would propose it's probably easier to get a bogus version of Firefox with evil CA's in a lot of PCs, than successfully set up a rogue CA, but when there are billions on dollars at stake, who cares how difficult it is.

Re:Why trust the PKI?

[pete-classic]

That's fine for your one bank that you set up once.

I go to a lot of shows at small venues around town. Should I spend a couple of days driving around to all of them collecting their certs so I can buy tickets? (Maybe. Maybe once, maybe never.)

And where do I pick up my gmail certificate CD? And for my credit card company? (The one that doesn't have an office in my state.) And for my insurance company?

Oh, and I like to pay my cable, power, and cell phone bills on-line, too. So I guess I need to get CDs from them as well.

Oh, I also do my time sheets for work through a secure website. And I get my pay stubs through another. And manage my 401k through yet another.

I'm not so sure about your plan.

-Peter

Re:Why trust the PKI?

[Mister+Whirly]

All one would have to do after a user's login credentials have been obtained is to get thier phone number, pick up the phone, call them, and say
"This is Mr. Soandso from &BANK NAME&. We have had a recent error in the code cards and would like to verify that you have one of the ones that is not a problem. Could you read line &LINE NUMBER& to me so I can check to see if you have a valid code list?"

Sure it is a little extra effort, but not so much that nobody would attempt it.

Re:Why trust the PKI?

[MartinSchou]

How exactly does that protect against a man in the middle attack, where the MitM has an apparently valid certificate? He'll just post a mirror of their site, change your actions to ones that include moving money out of your account to one of theirs and pass along a request for a validation to you.

Re:Why trust the PKI?

I know in the UK one bank is handing out a keyfob to business customers. The keyfob has an algorithm that works out a passkey from the current timestamp. When you log into the banks system you have to press a button on the fob that will generate your "key". The banks system will accept all keys generated in the last 30 seconds or something. The keyfobs hold subtly different algorithms in them and the fob is registered to your account number so the bank know which algorithm to use to compare too. Seems a reasonably secure system to me. This is alongside the uname passwrd etc. everything else.

Re:Why trust the PKI?

[characterZer0]

People need to be trained. If somebody claiming to be your bank calls you, ask at which extension he can be reached from the number you have for your bank, and call back. Simple.

Re:Why trust the PKI?

Great idea, then if you don't use Windows or maybe Mac you have to go find a public computer which might have a keylogger installed?

Re:Why trust the PKI?

[characterZer0]

And people need to be trained not to give out information. If he asked me to read him line X to see if it is correct, I would tell him to tell me what he thinks line X should be, and I will tell him if he is right.

It is simple: do not give out information that they should already have, except that which you already know is to be used for the purpose of identifying yourself to them.

Organizations need to deal with this though. I had somebody call me from my bank asking me about charges I had made. I asked for the extension to call back. The bank had outsourced the function, and could not tell me anything other than "somebody will call you claiming to be from us, and ask you for information." I hope they have gotten it straightened out, but I refused to play along.

Re:Why trust the PKI?

[fastest+fascist]

good point - my bank also uses the keycodes for verification over the phone when a customer calls them, so it's not a big stretch that they would call to ask about an "important issue" but say that first they need to verify you are who you say you are...

Re:Why trust the PKI?

Then don't use the keyboard.

Duh. /s

Re:Why trust the PKI?

[Mister+Whirly]

Very true. Studies have shown that people want to be helpful and will give up information they shouldn't. And all good crackers know to attack the weakest link in the security chain - the user. The most complex lock in the world will not help you if someone hands the keys over to the "bad guys".

Re:Why trust the PKI?

[blhack]

Our bank (chase) gave us a credit-card-sized device with an LCD on it.

It generates 8 (i think it is 8, I don't work in accounting) digit numbers that we need to put in when we log into their website to view checks and manage our account.

The numbers change every few minutes.
Is this similar to what you've got?

Re:Why trust the PKI?

[Amouth]

some places use them here .. they are normaly RSA keys and are 2-300$ each and are optional.. my bank doesn't use them.. but i know realestate agents that have to have them to open lock boxes on houses.. someone was a good sales man for that one.. and the banks jsut don't give a fuck.. if someone takes money out of my account it isn't their proplem as i'm the one that is short

Re:Why trust the PKI?

[Mister+Whirly]

I follow the same guidelines, but unfortunately, we are in the minority when it comes to things such as this.

Re:Why trust the PKI?

[fastest+fascist]

My bank just issues printed cards with a hundred keycodes on them.

Re:Why trust the PKI?

[Reece400]

I know, what if they just installed secured computers which allow exclusive access to their system, in various locations throughout the country so there was always one near by!

They could even install cash dispensing devices to allow you to withdraw funds from your account, maybe call them Automated Teller Machines or something along those lines. Wow, I should totally patent this idea

Re:Why trust the PKI?

[YouWantFriesWithThat]

well, i wouldn't care too much if they had a log of my username/pass if that wasn't the only credential needed to clean out my account. if there is a signed usb drive needed that will be pretty hard to clone with a keylogger.

Re:Why trust the PKI?

do not give out information that they should already have, except that which you already know is to be used for the purpose of identifying yourself to them.

Hello, this is Anony Coward from National Bank, how you doing today?

I'm calling regarding activity on your account. To verify your identity, would you please read ... (looks at screen) ... item 67 on your bank keypad?

Thank you. Mr. Zero, I'm calling about a transfer to a Cayman Island account in the amount of $5000 dollars which just showed up on your account. Did you make that transfer?

Okay, Mr. Zero, I'm going to cancel that transaction and credit your account. Please note that due to some technical difficulties we're having at the moment, the credit may not show up on your account for a week or two. So don't worry if the charge shows up on your next statement. There's no need to call us about it, because I assure you that the credit is pending.

Have a nice day!

Re:Why trust the PKI?

[c_g_hills]

I am a normal non-business customer of a bank in the UK and I have a reader supplied by the bank that generates either a one time code for identity, or a code based upon an account number used for securing money transfers (so you can tell that you are not being phished). In both cases, the chip card and pin are required in combination with the reader, making it a rather secure system.

Re:Why trust the PKI?

[Ndiin]

How does that help if you can't trust the site, though? That only adds trust on your end, not theirs.

Re:Why trust the PKI?

[mrstrano]

Oh yeah, also your Electric Company should give you one, your phone company and Paypal should send you one and EBay, Amazon.. Wait a minute. This would be a mess of CDs and usb keys. You know what, let's set up a single place accessible on line where all this certificates are stored.. Let's call it, Certification Authority :)

Re:Why trust the PKI?

[cbiltcliffe]

What makes you think the next keylogger trojan won't also make a copy of all USB drives (including volume serial number) upon insertion?

There goes your secure access......

Re:Why trust the PKI?

[Intron]

Fezzik, tear his arms off.
Oh, you mean this gate key.

Re:Why trust the PKI?

[horatio]

This is exactly what I do. When a bank or CC issuer calls (usually to verify a purchase) I call the number listed on the back of the card, not the number left in the message.

Re:Why trust the PKI?

[ion.simon.c]

Heh. I assume that *all* public computers are configured to copy any and all private key material on USB devices.

Re:Why trust the PKI?

Why not have a "Warn me if the certificate suddenly changed and/or comes from an entirely different CA" mode built into browsers?

Re:Why trust the PKI?

[RazzleDazzle]

Why not just store all the banking data right on the USB drive itself and hand that out to every customer then you never have to even get online to check your accounts. Just think of it as a modern day sneaker net. Virtually no chance of MITM attacks or eavesdropping. I think this is an ingenious idea.

Now how do I patent this?

Re:Why trust the PKI?

[mlts]

I'd like to see banks print out their cert's SHA-512 hash onto printed material, and as stated above, have a mode in the browser to scream bloody murder if www.bank.com's cert is anything but the cert with the hash pre-entered.

Web browsers could also distribute a list of certs for major sites that are doublechecked to be actual certificates for that site, similar to how root certificates are maintained. One could even go to the next step of precaching the actual public keys on the Web browser so there is no chance of a site trying to inject a bogus key for a known site. Of course, there are weaknesses in this... SSL certs expire and too many precached certs would add a lot of bloat, similar to including a huge /etc/hosts file rather than using DNS.

Re:Why trust the PKI?

I know, what if they just installed secured computers which allow exclusive access to their system, in various locations throughout the country so there was always one near by!

They could even install cash dispensing devices to allow you to withdraw funds from your account, maybe call them Automated Teller Machines or something along those lines. Wow, I should totally patent this idea

I totally wanted to post the link to the slashdot story about how the ATM's got hacked badly, but couldn't find it.

So I thought I'd just write about it. It'll be like Christmas, only you have to find the present, err, citation.

Enjoy!

Re:Why trust the PKI?

[dwandy]

so part of the "training" is that financial institutions don't leave a number. They instruct you to look on the back of your card. Just like all banks will tell you they don't send e-mail, and that any e-mail isn't from them, they would start to educate: we don't leave a call-back number.

Part of the problem (imho) is that there isn't enough rea$on for these companies to fix the underlying problems.

Re:Why trust the PKI?

[u38cg]

That's very good practice. However, for as long as banks continue making outbound calls without verifying themselves to their customers, it won't work, because end users are used to receiving such calls.

Re:Why trust the PKI?

Several banks in The Netherlands use a sort of cryptographic pocket-calculator that works with data stored on a chip on the bank card. In order to login, you need the following:

- your bank card + calculator
- (self-chosen) PIN-number to unlock your bank card when you switch on the calculator
- bank account number + pass for the website
- the website issues an 8-digit key that you need to type into the calculator
- the calculator gives an 8-digit response that you need to give to the website

While this is very secure, it is still only one-way verification. The only assurance you have about the website, is that it ties your bank account number to the correct personal information and that the certificate is correct.

I'm quite content with the way my bank handles it (Postbank): you only need username+pass for login (sadly), but every transaction (or set of transactions) needs to be confirmed with a 6-digit code. This code will be sent via sms (celltext), and the message also contains the sum amount for the transaction.

Re:Why trust the PKI?

[Nursie]

Because then the browser needs to keep track of every certificate from every site it's been to, which is a pain and unreliable when people like to flush that sort of data.

Or would you propose having a "this site is super important and I'm pretty sure I'm not under attack at this moment" button?

Not bad, but I prefer my way :)

Re:Why trust the PKI?

[advantis]

My bank issued me with a device called a Digipass which generates codes like those that have a life span of 36 seconds. The advantage of this is that I don't run out of codes if I have OCD and check my bank statements 100 times a day and I don't need to contact my bank for new codes. The code also expires after successful login, so there's no double teaming. For someone to successfully log into my account, they'd have to be attacking me as I do my transactions. But not even then, as each transfer has to be signed with a Digipass-generated code as well.

Re:Why trust the PKI?

Such a system was successfully hacked by a PC virus that waits until the user visits the bank site, and then presents a page in the bank style saying "for increased security, please enter the next ten keycodes on this form". Stupid users entered the codes and lost in the range of 1000-40000 euros to the guys behind the attacks.
The bank denied them compensation until they formed a group and went public with the issue.

Re:Why trust the PKI?

[jonbryce]

In Britain, Royal Bank of Scotland, Barclays and Nationwide have a challenge response system where you have to put your ATM card in a handheld reader, enter your pin and a number supplied by the website, and type the number from the reader into the webpage to continue. Bank of Scotland send a number by SMS to your cellphone which you have to type into the webpage to continue. Lloyds and Abbey don't do anything, and for some reason, they get the vast majority of the phishing attacks in this country.

Re:Why trust the PKI?

[jonbryce]

I guess the attack would take the form of

You log into a fake website. The phisher uses the same details to log into the real website.

You ask to transfer some money. The phisher asks to transfer money to a different place. The phisher passes on the challenge response details it gets to you, you complete it and give it to the phisher. The phisher can then transfer the money to his "money transfer agent" for onward payment to himself.

Re:Why trust the PKI?

[cbiltcliffe]

Me, too. But FryGuy seems to think that it will prevent any and all problems, which it obviously won't.

Re:Why trust the PKI?

[badkarmadayaccount]

Because those are totally safe...

Re:Why trust the PKI?

[Reece400]

Really, what is in the information age. On the other hand I'd trust an ATM over a public PC any day...

Still using MD5 for this ?

[Yvanhoe]

These certificates are at the basis of truth on secure websites. MD5 has been known to have vulnerabilities for a loooong time (2004 according to the link article). Why do not banking services keep up to date with the state of the art crypto ?

Re:Still using MD5 for this ?

From what I understood from the talk, banks do not - they use SHA1. However, about a third of all CA-signed certificates that Firefox trusts has MD5 signatures.

The cool thing is that once you have a rogue CA certificate, you can sign your bank phishing site with a SHA1 signature. This was apparently made harder to detect due to CA:s signing their own certificates with MD5 signatures, which means that if you only check for MD5 signatures in the actual certificate, it's trivial to get passed you, and if you check for MD5 signatures in the whole certification chain, you'd mostly get false positives.

Re:Still using MD5 for this ?

[Opportunist]

Implementing something more secure costs X, cost of fraud is Y, change when Y exceeds X, until then, leave everything untouched.

That's just how banks work. You can yell at them how insecure their online banking is 'til you're blue, but you won't change a thing. I've tried. More than one way.

Telling them won't change a thing. Magazines and newspapers don't report it because they don't want to risk those multi-page bank ads. What's left besides breaking the law and using the exploits to make a point?

Re:Still using MD5 for this ?

[Yvanhoe]

Well I understand that as long as the cost of repairing the flaw is higher than the cost of the flaw, doing nothing is the most logical choice. However, I fail to understand how, in the Internet as it is today, with spambots widespread, with virus factories that take only one hour to transform a patch from Microsoft into an automated exploit, a flaw like this could cost less than a its fix. For Kibo's sake! It's a trivial upgrade at a protocol (MD5->SHA-1 or SHA-2) ! If done with one year of delay (2005) they would have had 3 years to upgrade their equipments and websites before the flaw hit CCC. Now it is only a matter of hours before the first million dollars goes down the drain because of this.

Re:Still using MD5 for this ?

[Opportunist]

It's anything but trivial for a bank. Yes, the technical side is trivial. It's the bureaucracy that weighs it down. Banks need approval for pretty much any change in their processes, often internationally. Other things have to be coordinated. And all that costs a ton of money. It's not as easy as it seems.

It took me a while, too, to realize that the implementation itself is most of the time only a secondary concern when it comes to whether a change can take place in the financial world.

Re:Still using MD5 for this ?

[kasperd]

That's just how banks work. You can yell at them how insecure their online banking is 'til you're blue, but you won't change a thing.

Banks have no part in this. The parties at fault are the CAs for using MD5, and the browsers for supporting MD5 as well as trusting CAs that use it. A bank cannot do anything about this attack. Even if the bank choose a CA which is using secure algorithms it won't help. The attacker don't have to use the same CA as the bank, in this study they explain how they found which CA would be the easiest target.

What you can do as a user is to actually look on the certificate chain. Whenever I am using online banking, I always look on the certificate chain at the beginning of each session before I log in. Seems that practice is not paranoia after all. (I also quit the browser before starting, check for security updates, and then start the browser and use a bookmark to go to the login page. I visit no other sites while doing the online banking, and when done I quit the browser and start over before accessing any other sites).

allyourcaarebelongtous

[sleekware]

All Your CA Are Belong To Us

its only the CA's that use MD5 so the question is.

[johnjones]

some CA's use MD5 the question really should be which ones

they point to a rather doomsday scenario of having a problem with all SSL Certificate Authorities

this is not the case

only the ones that use MD5

so the question really is what is the list of SSL Certificate Authorities that do this ?

regards

John Jones

http://www.johnjones.me.uk

Re:ROGUE not ROUGE

[MightyYar]

There's no way he'd fit in there. It would have to be at least... 3 times as big.

No weakness

[GigsVT]

It's important to note that this sort of collision is not taking advantage of any of the known weaknesses in MD5, rather it's brute force.

This is just to head off the inevitable screaming of "MD5 is broken for everything anyway!!!".

Re:No weakness

What? It's absolutely a weakness in MD5 that collisions are possible to find. These guys pushed that a little further by finding a controlled collision within a smallish time window. While the attack does require some computation, it is not "brute force" in the sense that it would not work (in a practical amount of time) against an otherwise secure 128-bit hash, but rather exploits MD5s known weaknesses.

Re:No weakness

[JakusMinimus]

Firstly, from this article:

The attack is based on known weaknesses in the cryptographic hash function known as MD5. In 2004, researchers from China showed it was possible to generate the same MD5 fingerprint for two different messages using off-the-shelf computer hardware. Three years later, a separate group of researchers - many who participated in Tuesday's presentation in Berlin - built off of those findings by showing how to have almost complete freedom in the choice of both messages.

Maybe I am missing some precision thrust of meaning with your choice of words but my understanding is that the researchers utilized brute force to readily take advantage of a known weakness of MD5. No, it is not broken for everything, but it is most definitively broken for use within the PKI infrastructure (signing certificates).

Re:No weakness

[plover]

Brute force? Not according to TFA:

In the interest of protecting the Internet against malicious attacks using our technique, we have omitted the critical details of our sophisticated and highly optimized method for computing MD5 collisions.

It says they compute collisions, which is indeed a weakness in MD5. Even if they use brute force, the fact that it's forceable is still a weakness.

Now, MD5 still probably makes for a pretty good checksum for utilities like Tripwire and such, but for security it's broken, broken, broken.

Re:No weakness

[Opportunist]

Brute force isn't so terribly time consuming when you have a botnet of current PCs at your disposal that can start crunching...

Re:No weakness

[moderatorrater]

This is just to head off the inevitable screaming of "MD5 is broken for everything anyway!!!".

Why head that off when it's a perfectly valid criticism? MD5's been out of date for a few years now and it's been broken for nearly that long. Using MD5 eliminates the CA's credibility.

Re:No weakness

[blueg3]

Since MD5 is 128 bits, if computing a collision takes on the order of 2^128 attempts, it is indeed brute force and is not a weakness of MD5 at all. A weakness is a property that allows you to perform some undesirable action -- say, compute a collision -- faster than absolute brute force.

Re:No weakness

Maybe it's my naivety, but wouldn't a hash have to be of infinite length to be able to be used in a way that guarantees no collisions?

Or is your point that hashes shouldn't be used at all? If so, what should be used?

Re:No weakness

The first part of your post is just not true. This attack is possible because of a weakness in MD5 and has very little to do with an actual bruteforce search.

That doesn't mean MD5 is broken for [b]everything[/b] else, it just means that it's broken for this specific application (and many more that work similarly).

Re:No weakness

[Just+Some+Guy]

Maybe it's my naivety, but wouldn't a hash have to be of infinite length to be able to be used in a way that guarantees no collisions?

That's what I thought he was saying at first, but it's not. For an n-bit hash, the birthday paradox says you'll need to try an average of (n/2) bits to find a hit. The problem with MD5 is that you can find collisions in much fewer than 2^64 attempts. So sayeth Wikipedia:

On 18 March 2006, Klima published an algorithm[9] that can find a collision within one minute on a single notebook computer, using a method he calls tunneling.

So yes, all fixed-length hashes will have an infinite number of collisions. It's just that some hash algorithms make it a whole lot easier to find some of them.

Re:No weakness

[owlstead]

(1) Maybe it's my naivety, but wouldn't a hash have to be of infinite length to be able to be used in a way that guarantees no collisions?

(2) Or is your point that hashes shouldn't be used at all? (3) If so, what should be used?

(1) Of course there are collisions. The idea about secure hash methods is that it should be impossible to find one. If you brute force a perfect hash, you will have to look to at least 2^(N/2) hashes (in general, or you must be lucky to the extreme, approximately the same amount of luckiness :P ). MD5 is broken in this regard, for certain situations, such as the one in the article.

(2) No, this doesn't seem to be the case. He just - correctly - pointed out to GigsVT that this is not a brute force attack. This can easily be extracted from the paper.

(3) SHA-2 is rather secure, there is no vulnerability other then the fact that it looks too much like SHA-1 to be completely care-free. And there is probably a reason for the SHA-3 competition. There are also people that think any hashing method that is build using Merkle-Damgård is unsafe. There is yet no solution against those (theoretical) problems.

No answer was needed for (3) because (2) was already wrong, but I've added it as a bonus.

Re:No weakness

[tietokone-olmi]

At least as long as the input data, anyway. And then they might be reversible, which is just as big a problem.

So yes, cryptographic hashing is a game of tradeoffs. What isn't?

Re:No weakness

There are different types of attack on a hash function: Pre-image attacks and collision attacks. A pre-image vulnerability is when you can find a document which has a given hash value or the same hash value as a given document. A collision vulnerability is when you can find two different documents with the same hash value. For a collision attack to be useful, both documents usually have to fit a given specification (e.g. a document format) and contain only meaningful or at least inconspicuous data.

The attack presented at 25C3 uses a known MD5 collision vulnerability to craft a certificate signing request which, combined with a predictable serial number and signing time, results in a certificate A where the hashed portion has the same MD5 hash value as the hashed data in another certificate B. When the CA signs certificate A, it thereby also creates a signature for the certificate B.

Most of the extra work on top of implementing the MD5 collision attack is needed to
- hide the extra garbage bytes that the attack needs to do its magic, such that the signing request is still accepted by the CA,
- timing the request just right that the certificate which is signed has the right signing date (which is part of the hashed data),
- making sure that the serial number is as predicted (also part of the hashed data),
- hiding the extra garbage bytes in the rogue certificate such that it is ignored by the browsers.

Re:No weakness

[SanityInAnarchy]

Actually, yes it is. You just need a strong enough cipher.

The way I understand it, for example, 4096-bit RSA either requires a dramatically new approach (quantum computing), or, with current technologies, requires every atom in the Universe to be assembled into a massive compute cluster, and that cluster needs to run for longer than the heat death of the Universe.

Botnets do change some things, but they don't change basic mathematics.

Re:No weakness

[amorsen]

If computing a collision takes on the order of 2^128 attempts, it won't happen. Anyway, you can make a collision of a 128-bit hash in 2^64 attempts, but even that is out of the reach for most people. Unfortunately you can generate collisions for MD5 much much faster than 2^64 operations.

Re:No weakness

[blueg3]

It depends on if you are trying to produce two strings with the same hash or trying to produce one string with a predetermined hash. The former can be done faster, but is not brute force. (This is "the weakness" of MD5.) The latter still can only be brute-forced.

Re:No weakness

[plover]

Again, RTFA. They start by acquiring a legitimate certificate with an MD5 hash signed by a trusted root authority. They then create a new certificate of their own that produces the same signature as the one the certificate was assigned. That is the latter of your choices that you claim can only be brute forced, and it is the approach they claim to have optimized. To optimize "brute force" means they must be taking advantage of some weakness in MD5.

Re:No weakness

[bwcbwc]

The basic math is that in order to prevent hash collisions you need a one to one mapping from the input domain to the hash range. In other words, a unique hash value for every input value. Technically, it isn't a true one-to-one mapping, because there could be extra unused values in the hash range that aren't mapped from the input values, but unused values in the hash space translate into wasted memory storing unneeded bits. A one-to-one mapping is the most efficient possible mapping.

In the case of an arbitrary/random data sequence of finite length, the number of possible values of the input space is 2^n where n is the number of bits in the input.

In order to support this number of variations of the input, the length of the hash must be the same number of bits (or greater). The hash needs to establish a one-to-one mapping of potential inputs to potential outputs.

As an example, if your input data consists of 8 bits with no restrictions on the value of any given bit, you have 2^8 possible bit combinations (the full ASCII table, for example) that must be mapped into the hash. In order to successfully map that many different permutations of input, you need an 8-bit hash. If you only have a 6 bit hash, you are trying to map 2^8 (256) possible input values values into an output space that contains only 2^6 (64) values, so either some values in the domain are not mapped into the range (invalid hash/hash failure) or else there are values in the output range that are reached from multiple inputs (hash collisions).

Now a purely arbitrary or random input sequence is not the only possible condition for hashed data. If an input data sequence can be compressed losslessly due to correlation between input values or because some sequence combinations are prohibited, the hash can be shorter than the input string (but not shorter than the best possible compressed version of the string). Again, this boils down to the basic math of one-to-one mappings and permutations of n bits of data. If data is losslessly compressible, that means a one to one mapping can be created from the uncompressed data to the compressed version. One to one mappings are transitive, so you can create a perfect hash of the compressed data without data loss (or hash collision).

Re:No weakness

[sjames]

Brute force? Not according to TFA:

Brutish force perhaps :-) For some time, we have known that MD5 had a weakness that can be used to reduce the size of the problem, but then brute force must be applied to that smaller search space. They either got quite lucky or did a really good job of optimizing the porocess.

Of course, since a rogue CA cert is an extremely high value target for a criminal organization (and they have millions of distributed processing nodes available to them), it's likely that someone either is or will try it for less pure purposes.

The solution will be 'interesting'. Essentially, the prudent move is to mark all CAs using RSA and every cert they have signed as untrusted. Any holder of one of those certs will have to get a new one from somewhere else.

Re:No weakness

The weakness is not that they can generate collisions (although that is an inherent weakness with any checksum method).

The specific weakness with MD5 is the line which says:
 

built off of those findings by showing how to have almost complete freedom in the choice of both messages.

Most of the time if you have a collision, the fake Checksum will contain mostly garbage, so simply by looking at the cert itself you can tell it's garbage. This vulnerability is that they can generate a Cert that contains legitimate data AND the same MD5. This is a very big weakness.

MD5 shouldn't be used for this anyhow, it's primarily useful for fast verification of data integrity, not as a method of securing data.

Re:No weakness

[harlows_monkeys]

It's important to note that this sort of collision is not taking advantage of any of the known weaknesses in MD5, rather it's brute force

Wrong. Finding collisions in MD5 by brute force takes around 2^64 attempts (basically, a birthday attack), and is safe from all but those with huge computing resources. The current methods being used for finding collisions are several orders of magnitude faster than that, and only require minutes on a typical PC.

Re:No weakness

I think that you need to RTFA, or more importantly, the article from wired. They explicitly mentioned that they generated the two certificates in advance and that they had to account for the serial number and expiry date set by the issuing CA.

So they generated two certs, one for a regular website, the other a CA cert; both with identical hashes. They then got the website cert signed by the CA and applied the signature to their CA cert that already had a matching hash.

Re:No weakness

[blueg3]

You really should read the original paper -- or have some understanding of developments in cryptography. They "generated" two certificates with identical MD5 hashes and got a CA to produce an MD5-only signature for the one. Since the hashes are the same, the signature's good for both. This absolutely requires being able to manipulate both certificates.

They don't actually produce the first certificate themselves -- the CA does. However, the CA they chose generates the cert automatically from data they provide in a highly predictable fashion, which allows them to, in practice, supply the cert to be signed.

This, incidentally, is terrible cryptographic practice -- performing functions like signature generation or encryption on arbitrarily-supplied data automatically, as it is a requirement for many attacks. If the CA introduced 128 bits of unpredictable entropy into each issued cert, their method would be completely worthless, even with the insecurity of MD5, because guessing the added message entropy is too difficult.

Re:No weakness

[plover]

That makes a lot more sense now, thanks for having the patience to explain it to me. I kept trusting the linked page and the illustrations which implied the new cert was a pure derivation from the cert they purchased.

Re:No weakness

[blueg3]

Yeah, I glanced over their paper again to see if there was something convenient to quote. If you're not familiar with existing MD5 attacks, the abstract is not too clear on this point.

Re:No weakness

[dachshund]

The way I understand it, for example, 4096-bit RSA either requires a dramatically new approach (quantum computing), or, with current technologies, requires every atom in the Universe to be assembled into a massive compute cluster, and that cluster needs to run for longer than the heat death of the Universe.

You've neglected to mention: a significant advance in the mathematics behind factoring and/or solving the RSA problem itself. There's been an impressive amount of work in this direction overthe past 20 years, so it's not ridiculous to imagine further advancements in sub-exponential factoring algorithms.

Fortunately, if such an advance does take place we'll probably hear about it well before the botnets have a chance to take advantage of it (on the other hand, we've had plenty of warning about collisions in MD5, and that didn't help RapidSSL).

Re:No weakness

[jd]

A "perfect" cryptographic hash must meet three criteria:

a) The best herustic for determining an input which will produce the same hash as a specific target input will require as many steps on average as brute-forcing. (ie: the probability of getting a collision is the same whether you are using a programmatic solution or guessing.)

b) If inputs A, A' and A'' produce the same output, where A and A' are known, the best herustic for determining A'' will remain no better than one that brute-forces.

c) If inputs A and A' produce the same output as each other, inputs B and B' likewise produce the same output as each other, and so on for some statistically-significant number of distinct outputs, the outputs will follow a random distribution.

In other words, the apparent strength of the hash is the actual strength of the hash, no matter how much information has been obtained (either by analysis or by chance). There are two "obvious" properties which are necessary but not in themselves sufficient to produce those criteria. These properties are:

a) The change in output in relation to a given change in input will follow a random distribution.

b) Where the change in input is a fixed increment of any kind, neither the output nor the change in output nor any other order differential may be constant or cycle as a whole (though unpredictable repeats are a requirement of randomness), no matter what the period of that cycle would be.

These properties are common to almost all systems that are sensitive to initial conditions, which is why some of the more elaborate hashing schemes use well-understood chaotic systems rather than trying to mess around with the underlying cryptographic theory. If you know the system is deterministic (ie: for identical input it must produce identical output) but is non-predictable (ie: there exists no method whatsoever for figuring out the output - or even guessing the range it might fall in, other than the entire allowable range - for a given input except to perform the operation) then predicting a collision should be impossible. In practice, chaotic systems aren't the easiest of beasts to work with when you want fixed-length hashes and you want them yesterday. You could produce extremely strong cryptographic hashes chaotically if you don't mind waiting a day or two for each one.

In practice, no cryptographic hash will be totally "perfect", it can only be approximate. And the faster it needs to be, the more shortcuts you need to take, so the less perfect it can be even in theory. This is one reason there is some commentary on the SHA3 mailing list on whether speed should be as emphasized in the current test as the criteria suggest - that maybe NIST should relax that a little and get something stronger. Weaknesses in MD4, MD5 and even IPSec have been pointed out in respect to an overemphasis on speed in the past. Not sure on how far you could go with that, but the very impressive speedups achieved on the posted hashes suggests that the speed of the algorithm is a non-issue, that there are so many avenues for making the code faster that you can disregard that side of things almost entirely. At least for this contest. The better choice may well end up being the stronger choice, no matter what the relative performance of the reference implementations.

Re:No weakness

this is from a weakness. sorry. we cant do 2^128 in a lifetime yet.

Re:No weakness

[julesh]

The way I understand it, for example, 4096-bit RSA either requires a dramatically new approach (quantum computing), or, with current technologies, requires every atom in the Universe to be assembled into a massive compute cluster, and that cluster needs to run for longer than the heat death of the Universe.

AIUI, that's only true if P != NP, which is assumed but not proven.

Re:No weakness

MD5's been out of date for a few years now and it's been broken for nearly that long. Using MD5 eliminates the CA's credibility.

Unfortunately, none of the leading browser vendors seem to agree with you. When they do, expect MD5 to fall into disuse quite rapidly.

No one should be surprised.

[gandhi_2]

The fact has always been that MD5 collisions can be calculated with rainbow tables for all sorts of reasons... Why weren't all CA's using SHA-1? It's trivial enough with the openssl from apt-get.

Re:No one should be surprised.

[blueg3]

You have no clue what you're talking about. Rainbow tables are only useful for small inputs, and work regardless of the hashing function.

MD5 collisions have been computable, but it's only really reasonable to produce two strings with the same MD5 hash -- not to produce a single string with a given MD5 hash.

Re:No one should be surprised.

[starfishsystems]

As SHA-1 is somewhat weak also, use the SHA-2 family, for example SHA-256 or longer instead.

Be sure to test the resulting cert infrastructure before deploying it. I (vaguely) recall a couple of years ago that OpenSSL lets you specify some legal hash names which it verifies just fine, but browsers such as Firefox may obscurely fail to recognize them when verifying the certificate chain.

Re:No one should be surprised.

[kasperd]

but it's only really reasonable to produce two strings with the same MD5 hash

Strictly speaking you can produce multiple strings with the same MD5 hash. I think the 2007 attack actually demonstrated 10 or more choosen prefixes leading to the same hash, they just had to add more garbage to the end.

not to produce a single string with a given MD5 hash.

Correct, that is still not feasible. And I don't see any indication that it is going to be any time soon.

THe interwe'bs not broken

[Strep]

What's the big deal? Just use another hash.

CA's using MD5

[xaosflux]

FTA, the following common CA's are still using MD5.

RapidSSL
C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1

FreeSSL (free trial certificates offered by RapidSSL)
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications

TC TrustCenter AG
C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de

RSA Data Security
C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority

Thawte
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

verisign.co.jp
O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

Re:CA's using MD5

[McNihil]

I guess one could do this too

grep -A 1 md5WithRSAEncryption /etc/pki/tls/certs/ca-bundle.crt |grep "CN"|awk -F "CN=" {'print $2'}

which yields the following

GTE CyberTrust Root
GTE CyberTrust Global Root
Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com
Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com
Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
Thawte Server CA/emailAddress=server-certs@thawte.com
Thawte Premium Server CA/emailAddress=premium-server@thawte.com
Entrust.net Client Certification Authority
Equifax Secure Global eBusiness CA-1
Equifax Secure eBusiness CA-1
Thawte Timestamping CA
Entrust.net Secure Server Certification Authority
Entrust.net Client Certification Authority
IPS SERVIDORES/emailAddress=ips@mail.ips.es
NetLock Kozjegyzoi (Class A) Tanusitvanykiado
NetLock Uzleti (Class B) Tanusitvanykiado
NetLock Expressz (Class C) Tanusitvanykiado
Free SSL Certification Authority/emailAddress=admin@startcom.org

Can someone double check?

Re:CA's using MD5

[Tony+Hoyle]

Find these in the browser and delete them.

*No* certificate issued by these providers is secure. If your bank uses them, then tough.. your bank has a problem and they should have bought their certificate from a competent provider.

Re:CA's using MD5

[blueg3]

No, it needs to be a CA that is issuing certificates with MD5, not a CA whose certificate is signed by MD5. With this attack, already-created certificates are not vulnerable.

Re:CA's using MD5

Do any of these ship with Firefox 3.0? I can't seem to find them in the list.

Re:its only the CA's that use MD5 so the question

[gclef]

It's in their slides. As of 2008, there were some big names still using MD-5:

RapidSSL
FreeSSL
TrustCenter
RSA Data Security (!)
Thawte (!)
verisign.co.jp

Possible solution?

[marcopo]

I'm not familiar with the details of certificate use, but as far as the cryptologic component there seems to be a reasonable fix, that will not require any change from end-users or invalidate existing certificates (apart from changing the hash).

The attack is based on finding a hash collision between certificates A and B, having the CA signing A, and using the signature for B. If the CA were to make a small change to A before signing it the attack would be foiled, since it requires active participation from the CA.

Suppose the CA started to add a few random bits to each certificate before signing it. The applicant is told what these bits are, so that they can use the signed (modified) certificate to verify themselves to users. With just a few extra bits this would make the attack unfeasible. Does this make sense?

Re:Possible solution?

[Kz]

those 'extra bits' are called 'salt', and this scheme is widely used with 'shared secret' validations; but won't work here.

using your words: the applicant doesn't know A, so can't apply the extra bits to verify.

Re:Possible solution?

Such a notion effectively exists, and the article notes it. The CA adds data to the "to be signed" portion of the request--specifically, an effective/expiration date in seconds, and a serial number.

At least in part, the attack relies on the ability to predict what values the CA is going to use for those items. They were able to predict the time by observing the certs were usually issued for 1 year starting 6 seconds after the request was submitted. They were able to predict the serial numbers by observing that the CA used sequential serial numbers, so by issuing enough requests just before submitting the "real" request, you could force the serial number to be a predicted value.

Both items could be strengthened to dull this attach. If the serial number were random/pseudorandom, it would be MUCH harder to predict the serial number. Also, if the CA issued a "random delay" in issuing the certificate (even on the order of "wait a random number of seconds between 1 and 60") would make it hard to predict the effective time.

Still, while taking steps here (at a minimum, randomizing the serial numbers) would help with this specific attack, at best (as TFA notes), that's a band-aid. The randomness of the serial numbers might be crackable, and randomizing dates just makes it harder, not impossible, to conduct such an attach.

Re:Possible solution?

[PAjamian]

Very true, in fact there are currently two factors in control of the CA, the certificate validity period (with a resolution of 1 second) and the serial number. The attackers were able to reasonably predict both with RapidSSL due to the fact that they use sequential serial numbers. If the CA were to simply change to random serial numbers then this attack would be foiled.

That said, the best way to deal with this is to simply stop using md5 to sign the certs and use sha-1 instead.

Re:its only the CA's that use MD5 so the question

ftfa:

        * RapidSSL

        * FreeSSL (free trial certificates offered by RapidSSL)
        * TC TrustCenter AG

        * RSA Data Security

        * Thawte

        * verisign.co.jp

The sky is not falling.

[viega]

A lot of people in the twitterverse seem to think otherwise, but this is not a major breakage of the Internet. See my commentary at O'Reilly: http://broadcast.oreilly.com/2008/12/the-sky-is-not-falling-on-toda.html

Re:The sky is not falling.

Thawte
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

Is using MD5. Want to disable their CA in your browser?

Re:The sky is not falling.

[viega]

Read the article carefully. Just because something is signed by MD5 doesn't make it broken. Signing future things with MD5 without proper randomization is bad, but I don't expect anyone other than the third tier CAs to do that kind of thing after this. I will also say that the attack will leave a pretty distinctive signature in CA logs. Plus, nobody would say "revoke Thawte's cert retroactively", but it should probably not be used anymore, and no CA certs issued with it should be accepted anymore. In fact, those issued over the last year, Thawte should publish which ones it issued separately. If browsers respected that list (a one-time thing), it would close the remaining hole (for Thawte... each CA affected would need to do the same thing).

Re:The sky is not falling.

[Tony+Hoyle]

"Therefore, the only certificates that are problems are ones where someone has already launched this attack. We know it's happened once, but that list is probably pretty small. And, there's a good shot that the bad guys haven't done it at all."

He's wrong, and has completely failed to understand the significance of this. He seems to think that it requires the CA to sign these certificates or something.

As long as there are *any* MD5 CA certificates in the browser then the bad guys can duplicate it and generate valid certificates for *any site on the internet* - including your bank. Man in the middle attacks just got a hell of a lot easier. Phishing attacks just got a hell of a lot easier.

Vulnerable CAs include Thawte and RSA, which means this is pretty damned big.

Re:The sky is not falling.

[Tony+Hoyle]

You still seem to think the CA is involved in this. Read how the attack is done. They generate a certificate with the same MD5 as an existing CA certificate. This allows them to issue certificates as if they were signed by the CA *without the CA having any knowledge*.

It is now impossible to trust any certificate signed by CAs using MD5. If that includes thawte then tough - they're going to have to reissue all their certificates.. they should have thought of security instead of trying to cut corners.

Re:The sky is not falling.

[viega]

You're wrong. Read the attack author's write-up here: http://www.win.tue.nl/hashclash/rogue-ca/ You will see that they absolutely need to get the CA to endorse the data they produce. They come up with two certificates in advance that, under the right conditions, will both validate when one of them is signed via MD5. That means, you cannot take an arbitrary cert on the internet and feasibly come up with an identical cert that is malicious, where the same signature applies.

Re:The sky is not falling.

[viega]

No, you misunderstand their attack. A CA definitely needs to be involved. You trick them into signing a web site cert, but then that signature can be pasted on to your other cert, which is a CA cert. You thus mint your OWN CA cert that a Thawte or whoever has accidentally endorsed, due to the collision you have generated. Note that this dependency on an existing valid CA is why there is a long section about how to anticipate the CA's serial numbers and validity periods.

Re:The sky is not falling.

[Simon+(S2)]

I think in your article you got this wrong. "That kind of attack doesn't seem like it's going to be practical in the next few years, though we should expect it will be possible sooner than later (developers: stop using MD5. Switch to something in the SHA family)."
The CCC guys already created a CA cert with which they can sign any cert for any host they want. That cert, signed by that forged CA cert, will look legitimate to the client browser, because it looks like it is signed by a trusted CA. So, yes: the sky is falling.

Re:The sky is not falling.

[viega]

I was talking about finding a new cert where the signature matches any arbitrary web site cert. That is, you can't take Citibank's cert and produce a new cert that says citibank that also has the same signature. I was mentioning this because most people seem to think that this is what the attack involves. The actual attack involves getting your own rogue CA by tricking an existing CA that signs using MD5 to sign a carefully crafted certificate. The actual attack does indeed work. It's been assumed this was approaching possible for a while, which is why most CAs long since moved to abandon MD5.

Re:The sky is not falling.

Getting a rogue CA setup requires some minimal assistance from another CA. However, once that is done the rogue CA can send out as many bad certificates as they want without any sort of outside assistance. This means that your claim "you cannot take an arbitrary cert on the internet and feasibly come up with an identical cert that is malicious, where the same signature applies." is complete and utter BS. The rogue CA can make certificats for whatever they want, and there isn't anything you can do to stop them.

Re:The sky is not falling.

[viega]

That's an entirely different thing. If you look at my article, I do explain this. But you can easily revoke them all by revoking the rogue CA's credentials. And, once the hole is plugged at the few CAs signing w/ MD5, that is all you have to do (tho it is best done in the browser, not through CRLs or OCSP). The Internet is not going to die. This is not a big deal.

Re:The sky is not falling.

[pegr]

"That means, you cannot take an arbitrary cert on the internet and feasibly come up with an identical cert that is malicious, where the same signature applies."

No, but I can bogotize a signing cert and use it to sign another arbitrary cert for any site name I please. What's the diff?

Re:The sky is not falling.

[Simon+(S2)]

I was talking about finding a new cert where the signature matches any arbitrary web site cert. That is, you can't take Citibank's cert and produce a new cert that says citibank that also has the same signature. I was mentioning this because most people seem to think that this is what the attack involves.

But that is not th case in this attack. You don't need to create a cert that hase the same signature, just a cert for the same host signed by a trusted CA (and that is much worse). Anyway, you got the attack wrong. I think you may have understood that by now.

Re:The sky is not falling.

[SanityInAnarchy]

Here's a question: Why would a CA add randomization, instead of forcing at least SHA1?

Re:The sky is not falling.

[Gothmolly]

Your use of the word 'twitterverse' marks you as a complete douchebag.

Re:The sky is not falling.

[viega]

Actually, they should do both. Whether true or not, I have visions of the CA being written by one guy n years ago, and it's been on autopilot ever since. I can imagine that he's got a hardcoded 16 byte value somewhere, and it's easier for him to randomize a sequence number than to make sure he got hardcoded values right across his code base. If it were me, I'd have abandoned MD5 in 2004, when most other people did. But, with a large random value, it is a "good enough" solution until MD5 is fully broken. I'm not sure which will happen first, a full break on MD5, or the same kind of collision attack on SHA1 that the researchers used here. I actually suspect the answer is that SHA1 is more vulnerable to this kind of attack than MD5 is to a full break. SHA1 has the same structural weaknesses. The only thing saving it is the bit length. As the complexity of this attack on MD5 comes down from brute force (O(2^64)) we can expect it's coming down on SHA1 as well. Maybe this same kind of attack is feasible given a year of time on a much bigger cluster, or something like that. Yes, people here are going to misread this to think I mean MD5 is stronger than SHA1 (which it certainly isn't), but that's slashdot for you.

Re:The sky is not falling.

[viega]

There are lots of differences. The important one is the impact for dealing with the problem. If the signature for any cert in the world signed by MD5 could be stolen, then you couldn't trust anything with an MD5 signture and we'd therefore have to treat every web site serving up an MD5 cert as bad, which would cost lots of people time and money. With this attack, there's a very good chance that no bad guy will ever use the attack in real life, and even if they do, it is not too hard to identify and blacklist the few rogue CAs that will exist, which will automatically invalidate any fake certificates. Most web site certs out there today that were signed by MD5 are perfectly fine (probably through their entire validity period), and there is no need to incur the cost to have people replace them.

Re:The sky is not falling.

[viega]

I think you either didn't read my writeup at all, or didn't understand it. But, I most certainly got it right. Ask any other cryptographer out there. Or, just read the researchers write-up carefully. It is very clear.

From what I understand from your posts, you're saying I don't need to create two certs with the same hash, I "just" need to create a new cert that matches an existing web site's cert. That's not true, and some intuition should demonstrate it. If you understand the birthday paradox, it says that, with brute force for MD5 (that is, if we assume MD5 is perfect), my explanation (remember, brute force), would be O(2^64) to attack. Yours would be O(2^128). Now, if someone has tricks to do better than brute force, perhaps they'd work in your context but not mine, or vice versa. Or, more likely, any structural weaknesses in MD5 are likely to have implications for both kinds of attack. Now, since O(2^64) was already near the border of feasibility, while O(2^128) was very far from it, which kind of attack was likely to become more practical first?

The whole point of my post on O'Reilly was that people do seem to think the research in question represents the scenario you're talking about. If that were the case, we would indeed have to quickly stop allowing even legacy MD5 certificates, which would be a little painful. But, that is absolutely not the case. If the few risky CAs deal with the problem quickly, this will be a huge non-event.

Re:The sky is not falling.

[pegr]

"If the signature for any cert in the world signed by MD5 could be stolen, then you couldn't trust anything with an MD5 signture and we'd therefore have to treat every web site serving up an MD5 cert as bad, which would cost lots of people time and money."

And that is exactly the situation. Thanks for putting it so well. Actually, it's bigger than that, since I can fake any cert (with my magic bogotized signing cert).

"With this attack, there's a very good chance that no bad guy will ever use the attack in real life, and even if they do, it is not too hard to identify and blacklist the few rogue CAs that will exist, which will automatically invalidate any fake certificates."

Could you explain this to me please? I have a fake signing cert. I use it to make other certs for any site I please. You can't blacklist the cert, because it's apparently "signed" by a trusted CA. You would have to remove any trusted CA that uses MD5 to sign certs. They've already been identified. How likely is Microsoft to push "Updated Root Cert" patch to Windows users, effectively removing the value of all certs from:

RapidSSL
C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
FreeSSL (free trial certificates offered by RapidSSL)
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
TC TrustCenter AG
C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de
RSA Data Security
C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
Thawte
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
verisign.co.jp
O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

Until this issue hits enough people to come up on their radar, everyone is vulnerable to MitM attacks. When it does hit the radar, there will be massive finger-pointing, and victims will be screwed.

The root of the problem is this: Certs are about trust. Microsoft trusts those that are untrustworthy. I am forced to assume the risk of Microsoft's trust decisions. I therefore do not trust Microsoft. Lesson: You can't trust anyone who doesn't have skin in the game.

Two sidenotes: This issue applies to all browser vendors, not just MS. And Jesus H. Tap Dancing Christ, what the F is RSA doing on that list?

Re:The sky is not falling.

[viega]

There's some confusion here. I'll try to clear it up. Let's imagine that you've got FredCA that got its CA credentials from Verisign. Let's say FredCA is perfectly legitimate. That means that they have a cert with a signature on it from Verisign. Let's say that Citibank wants to get a leigitimate certificate and they go to FredCA. The certificate they get back is signed by FredCA.

When your browser goes to Citibank, it gets to see the entire certificate chain (the server sends back a PKCS blob of the entire chain). It validates not only that the Citibank cert was signed by FredCA, but it also validates the signature on FredCA's certificate. If it trusts Verisign, then it makes sure that the certificate is definitely one it knows maps to verisign, and then everything is trusted.

A lot of people here seem to believe that the attack is that a bad guy can take the cert that FredCA endorsed for CitiBank or the cert that Verisign endorsed for FredCA (as long as the signature uses MD5), and steal the signature for their own certificate. If that were true, then we could not trust any certificate signed by MD5. Good thing that most certs have been issued via SHA1 for a while.

But, that is not true. In this attack, the bad guy can generate a pair of certificates, one that the CA signs, and another for which the same signature happens to be valid. You cannot do this to any cert on the internet, the pair of certificates have to be specially crafted.

In this attack, the bad guy gets FredCA to sign a certificate for DummyOrg, but when the bad guy created the DummyOrg cert, he created a matching cert for his own CA, call it EvilCA. Since the certs were created together in a particular way, the bad guy can take the signature off the DummyOrg cert and paste it onto the EvilCA cert and everything will work.

With the EvilCA cert, he can create certificates that claim to be from any site on the internet, even though they are not. When they get to the browser, the browser looks at the whole chain, and it looks good, even though FredCA never signed the EvilCA certificate. However, once we blacklist the signature for the DummyOrg cert, we will immediately blacklist everything endorsed by EvilCA, because when a browser goes to validate the whole chain, they'll see that the certs are issued by a blacklisted CA, and thus would know that the certificate is fake.

Also, note that there's a good reason to believe this hole will be closed well before any bad guys actually try the attack. At most, the world will have to blacklist a small handful of rogue CA certs.

Additionally, for the CAs other than RapidSSL, it's not clear they can be attacked easily. As far as I know, they all usually sign with SHA1. I don't know how you would get them to choose MD5, but I suspect none of them will do it anymore after this. And, even if they did, you would need to know how to predict their sequence number and the date values they add to the certificate. With RapidSSL that was all automated and very predictable. It could be with the other CAs, but it isn't necessarily the case.

Hope this helps.

Re:The sky is not falling.

[pegr]

So how might you blacklist a cert you've never seen? Only victims see it. And if you see it, you're already a victim. Add to this that any number of bogo-signing certs can be made, sitting in reserve, ready to pull out whenever one fails. No, the only confusion here is yours.

Best defense: "How to Remove a Root Certificate from the Trusted Root Store". Remove the RapidSSL cert, and any others that you have reason to mistrust.

Secondarily, hope no crap falls on you when someone you know gets hit.

Re:The sky is not falling.

[SanityInAnarchy]

Maybe this same kind of attack is feasible given a year of time on a much bigger cluster, or something like that.

Only if it scales linearly. Remember, DES is trivially cracked, but triple-DES is still secure (last I checked).

Re:The sky is not falling.

[viega]

The relative security between MD5 and SHA1 is currently more or less linear to the digest size, though more work has been done on practical applications on MD5, so it is a little weaker relatively. For cases where the birthday paradox applies, you lose 1/2 your bit length in the brute force case.

Re:The sky is not falling.

[viega]

For most people, this will put them at MORE risk than selectively blacklisting rogue certs as they are identified:

1. It is very likely that no bad guys will ever get a chance to use this attack. For them to use the next MD5 attack they would need to be able to predict a sequence number several months in advance, instead of several days.
2. Any attack of this type will be pretty obvious from the CA's logs. CAs that sign with MD5 will need to invest some man power in manual validation, but this is not a huge cost. This is how you find the unknown certs, if there are any (which is highly likely).
3. Since many legitimate web sites use SSL/TLS certs from RapidSSL, taking your advice for remediation will just give them pop-ups on some legitimate sites, which is likely to desensitize them. When people get enough pop-ups for stuff that isn't a risk, it's well known that they start just clicking through, so this would put the average person more at risk.

Re:The sky is not falling.

[Ararat]

"And Jesus H. Tap Dancing Christ, what
the F is RSA doing on that list?

Getting smeared! (sigh)

The CA identified by Sotirov et al as owned by "RSA Data Security" was actually RSA's original "Secure Server Certification Authority." It was legally transferred from RSADSI to VeriSign back in 1995, when RSA spun off VeriSign as an independent entity. (Apparently the designated names of root CA can't be changed while they are operational.)

RSA, now part of EMC, still runs two root CA, both of which use SHA1 digests.

This is an all-VeriSign show. All the CAs listed as potentially vulnerable to a MD5 collision attack are owned or controlled by VeriSign.

PS3 power

[d3l33t]

interestingly enough they used playstations to do so

Re:PS3 power

Well it sure isn't playing GAMES...

A nice piece of work

[Animats]

That's a nice piece of work. I'm very impressed.

Practical conclusions:

• The weakest trusted CA in the world compromises the entire public key infrastructure. What they've been able to do is not just create a phony SSL cert. They've been able to create a trusted but phony certificate authority root certificate which can be used to sign other certificates.
• MD5 has to go. The PKI infrastructure already supports SHA-2, which is considered better; MD5 is only there for legacy certs. So an upgrade doesn't require end-user browser changes; it can all be done by CAs and web sites.
• It's not that hard to do this attack, but it does take some resources. They used a farm of 200 Playstation 2 machines to attack MD5. This is well within the capabilities of, say, the Russian Business Network.
• RapidSSL and FreeSSL seem to be the current weakest points in the system. "Out of the 30,000 certificates we collected, about 9,000 were signed using MD5, and 97% of those were issued by RapidSSL." Worse, those two issuers issue certs with ascending non-random serial numbers, so that, with careful timing, they can be induced to issue a cert with a known bit pattern, which is required for this attack. Probably, RapidSSL and FreeSSL's trusted root cert should be pulled from IE and Netscape, and all certs from those sources re-issued using SHA-2 hashes.
• I don't think the RapidSSL and FreeSSL root certs are EV-enabled, so this specific attack probably can't be used to generate phony Extended Validation certs. Also, the EV standards require SHA-2 or better hashing, not MD5, which is more of a legacy hash algorithm. So the EV cert world is probably still secure.

Re:A nice piece of work

EV requires SHA-1, not SHA-2, but you're right that EV is an effective mitigation. Not all devices (e.g. phones) support SHA-2 yet but all support SHA-1.

The number of certs issued isn't very relevent; this isn't a second pre-image attack. So, RapidSSL/FreeSSL simply need to stop issuing MD5-signed certs.

Re:A nice piece of work

[gatekeep]

"The weakest trusted CA in the world compromises the entire public key infrastructure."

That's a slight overstatement. It compromises the entire public key infrastructure for which that CA is the root of trust.

If you removed all MD5-enabled CAs from your trusted roots list, you remove the potential of being fooled by a forged cert. Certs issued by other CAs, unaffected by the brute-force MD5 collisons, remain as trustworthy as they ever were.

Granted, for most people the chain of trust ties back to the default CAs that ship with their browser, and if any of those CAs is vulnerable, your faith in any cert validated as 'trusted' by your browser goes down, and most people don't bother looking at what CA issued the cert so long as their browser deems it trustworthy, but it's a little more nuanced that 'compromises the entire PKI infrastructure.'

I suspect browser patches will be out soon, removing trust for affected CAs entirely, not trusting them past a certain date, or at least giving warnings when MD5 signature verification is found along the chain of trust.

Re:A nice piece of work

[gknoy]

Will blacklisting the CA (locally on my machines) make any difference? (Perhaps a better question is, can I as an end-user do anything to protect myself from certificates issues from CAs that have not upgraded to better hashing?)

Re:A nice piece of work

[ALecs]

You seem to be able to disable root CAs in firefox. In "preferences" > "advanced" > "view certificates" > "authorities". FreeSSL is in there, listed as "startcom ltd". I guess we might all want to remove that now?

Re:A nice piece of work

[Rayban]

If you blacklist all CA's that use MD5 hashes in the root, you are likely safe (unless there's an unsafe intermediate somewhere).

IMHO, this needs a browser fix to mark any certificate with MD5 in its chain as potentially untrusted.

Re:A nice piece of work

[Tony+Hoyle]

No, RapidSSL/FreeSSL need to remove their MD5 CA from the trusted list. Merely stopping issuing new certs is not going to do anything - the entire trust chain is compromised until *all* MD5 CAs are removed from the trusted list. In practical terms that means they need to reissue all certs based on the old CA.

Re:A nice piece of work

Yes, such as a popup (localized to the page please):

The CA and the guys operating this website don't know nothing about security or are only in it for the money. Do you want to proceed doing business with these idiots [yes/no].

Or:

The security provided by this website is so bad you may call it criminal. Do you want to proceed doing business with these idiots [yes/no].

In the special case that the certificates have been issued after this date. There is simply no reason to *issue* MD5 certificates at this point in time, except when trying to keep that specific, broken, PKI infrastructure intact to milk it out just a tiny bit more. All browsers I know will accept SHA-1, it hardly makes any difference in time, so why issue MD5 certificates?

I hope nobody gets duped by this. If they do, they can sue a nice, fat CA for gross negligence.

Re:A nice piece of work

"The weakest trusted CA in the world compromises the entire public key infrastructure."

That's a slight overstatement.

For most users it is not an overstatement. For the average web surfer, seeing the icon indicating a secure transaction means ... the transaction is secure.

This may no longer be the case. For most users, the entire public key infrastructure is compromised.

Re:A nice piece of work

[owlstead]

What they've been able to do is not just create a phony SSL cert. They've been able to create a trusted but phony certificate authority root certificate which can be used to sign other certificates.

Almost correct, it is in fact an intermediate CA certificate. This can be used for certificate trees of 3 certificates in depth (or more). Of course, creating a "root CA" has very little effect, since you will have to include it into the secure store of the browser if you do.

Otherwise you are right on the money. It certainly won't matter to the end user what kind of certificate it is, root or intermediate.

Re:A nice piece of work

[blueg3]

What matters is not what hash is used in the root, but what algorithm newly-issued certificates can be hashed with. If the CA can be convinced to issue a certificate hashed with MD5, then it is susceptible to this attack. If newly-issued certs must use SHA1 or better, than it is not susceptible, even if the root certificate is hashed with MD5.

(Moreover, one could imagine that there is a root cert signed with SHA1, but the CA issues MD5-signed certs. This would also be vulnerable.)

Fortunately -- and not at all surprising, if you follow cryptography -- this attack requires that you craft two certs and get the CA to sign one. Computing a collision against a preexisting cert is still infeasible.

Re:A nice piece of work

After reading this article, I think that RapidSSL/FreeSSL should stop issuing certificates altogether. I really hope that CA-s like this get banned by browser vendors.

Re:A nice piece of work

It's not that hard to do this attack, but it does take some resources. They used a farm of 200 Playstation 2 machines to attack MD5. This is well within the capabilities of, say, the Russian Business Network.

Forget about the RBN, this is also well within the capabilities of governments worldwide. How often have people - me included - said "use SSL" when yet another story crept up about how the UK, or Australia, or Germany, or whatever other supposedly "free" country moved closer to censoring the Internet?

But with fake CA certificates this easy to create, how could you trust that the site you're connecting to which has a valid certificate that is signed by a major CA really is the one you want to connect to? With SSH, a certificate/key change would at least be flagged as suspicious, but would a browser even so much as raise an alert as long as the new certificate is properly signed and all that?

Re:A nice piece of work

Nice analysis, and well done on initiating a subthread for further analysis. Posts like yours are what make this such a strong community. Thanks!

Re:A nice piece of work

[Rayban]

Yeah, parent comment is correct. MD5 roots are not important *yet*, though they may be an issue in the future when MD5 collisions can be created arbitrarily (versus using birthday attacks).

MD5 certs anywhere in the chain (with the exception of the trusted root) mean that the certificate is suspicious *today*.

Re:A nice piece of work

[blueg3]

To be more specific: if any certificate in the chain has both been issued by a CA (that is, it is not included in your list of "trusted certificates") and its signature includes only an MD5 hash, it is untrustworthy.

So far there is no known method for creating a string with a specified MD5 hash. In this regard, the only advantage SHA1 has over MD5 is hash length.

There are other serious problems that people seem to ignore over MD5's weakness. These CAs are not only not really doing much identity validation, they're violating a major cryptographic principle -- they are simply automatically signing data that is directly generated from user-supplied data. Having predictable serial numbers, validity times, and fields that can contain large amounts of arbitrary data is what allows this attack to work in the first place.

Re:A nice piece of work

[Z-MaxX]

It's not that hard to do this attack, but it does take some resources. They used a farm of 200 Playstation 2 machines to attack MD5. This is well within the capabilities of, say, the Russian Business Network.

Actually, they were PlayStation 3 machines. "Luckily it is also very suited for the special SPU cores of the Cell Processor that the Sony PlayStation 3 uses. We had about 200 PS3s at our disposal, located at the 'PlayStation Lab' of Arjen Lenstra at EPFL, Lausanne, Switzerland"

Re:A nice piece of work

[this+great+guy]

MD5 has to go. The PKI infrastructure already supports SHA-2, which is considered better; MD5 is only there for legacy certs. So an upgrade doesn't require end-user browser changes; it can all be done by CAs and web sites.

Well an upgrade would require end-user browser changes: MD5-based CA certs need to be removed from their trusted CA list.

Re:A nice piece of work

[this+great+guy]

Well an upgrade would require end-user browser changes: MD5-based CA certs need to be removed from their trusted CA list.

Let me reword that: certs of CAs still using MD5 to sign web site certs need to be removed from the browsers' trusted CA list (because even CA certs signed with SHA-1 can be exploited if they issue MD5-based web site certs).

Re:A nice piece of work

[PAjamian]

They've been able to create a trusted but phony certificate authority root certificate

Correction ... it's not a *root* certificate, it's a CA certificate which is chained off the vulnerable CA's root. That said the distinction is mostly meaningless as the certificate can be used to sign an unlimited number of certificates for any domain name anyways.

MD5 has to go. The PKI infrastructure already supports SHA-2, which is considered better; MD5 is only there for legacy certs. So an upgrade doesn't require end-user browser changes; it can all be done by CAs and web sites.

It only really has to be done by CA's. This attack doesn't make an existing web site's certificate any more vulnerable to anything, regardless of how it was signed.

Probably, RapidSSL and FreeSSL's trusted root cert should be pulled from IE and Netscape, and all certs from those sources re-issued using SHA-2 hashes.

That's much more than is necessary. If RapidSSL and FreeSSL starts signing their certificates with sha-1 then there really isn't anything that need be done from the browser end, otherwise browsers could not trust md5-signed chained roots from RapidSSL and FreeSSL (as I'm fairly certain that RapidSSL and FreeSSL does not issue those legitimately anyways).

Re:A nice piece of work

That's not the one that's being dangerous; you want one of the GeoTrust ones. Link path:

http://www.win.tue.nl/hashclash/rogue-ca/ ("RapidSSL") ->
http://www.rapidssl.com/index_ssl.htm ("Signup") ->
https://products.geotrust.com/geocenter/reseller/register.do?partner=rapidsslpartners

Re:A nice piece of work

What they've been able to do is not just create a phony SSL cert. They've been able to create a trusted but phony certificate authority root certificate which can be used to sign other certificates.

No, they did not create a phony root certificate. They created a phony intermediate CA certificate.

Re:A nice piece of work

"The weakest trusted CA in the world compromises the entire public key infrastructure."

That's a slight overstatement. It compromises the entire public key infrastructure for which that CA is the root of trust.

Not really. Once you have a rogue CA, all websites can be spoofed with a fake certificate, so yes, the entire PKI is compromised. You are correct though, that it is sufficient to blacklist this one CA, and all problems are solved - but until said CA is blacklisted, the entire PKI world can be spoofed. Even sites that have their real certificates signed by good CAs, might find that a rogue certificate for their site validates perfectly.

Captcha: shutdown

Re:A nice piece of work

[ArsenneLupin]

After reading this article, I think that RapidSSL/FreeSSL should stop issuing certificates altogether.

Indeed. This MD5 issue is not the only problem that RapidSSL has. Their biggest issue is that they don't do any effort whatsoever to verify the requestor's identity. All the requestor has to do is:

1. Supply a phone number under which he can be reached
2. Prove that he can read e-mail sent to the domain to which he wants a certificate

The phone number is not verified, and using the number of a pre-paid mobile plan (or a callable phone booth) will work just fine.

Two may be a little bit tougher, until you think against what a certificate is supposed to protect: man-in-the-middle attacks.

So if the perp can get close enough to his target to mount a man-in-the-middle attack, he can also intercept mails sent to that target. Or, if the target is a webmail provider (hotmail, ...), he only needs to create one account out of the many allowed on the service.

Contrast this with other certification authorities, such as CA-Cert, which require a face-to-face verification with at least two volunteers which are trained and can be held responsible for errors.

Granted, domain ownership verification is not any more stringent than with RapidSSL (except for a smaller list of possible admin adresses), but at least in case of fraud, CaCert will have a chain of assurers leading to the perp in case of fraud, whereas RapidSSL would only have the number of a phone booth in a shady neighborhood.

Now, guess who is trusted by most browsers?

Yes, RapidSSL is, while CaCert isn't.

Missing option

[pjt33]

I'll set fire to CowboyNeal. That kills two birds with one stone: fuel and food.

Re:Missing option

[Ethanol-fueled]

Why dosen't Taco just open up Neal's corpse with a lightsaber and crawl inside?

Re:Missing option

He could get lost...

Re:Missing option

[Chyeld]

Give a man a match, provide him light for a second.
Set a man on fire, provide him light for the rest of his life.

Re:Missing option

[kat_skan]

Good god. It'd be like fifty cubic miles of tire fire compressed into some degenerate phase of matter wearing size 59 pants. You'd probably kill every bird in the county.

Re:Missing option

[Drantin]

Set a man a fire, he'll be warm for a night.
Set a man afire, he'll be warm for the rest of his life.

Re:Missing option

[Tumbleweed]

Set a man a fire, he'll be warm for a night.
Set a man afire, he'll be warm for the rest of his life.

That reminds me of my personal motto: Immolation is the sincerest form of flattery.

Re:its only the CA's that use MD5 so the question

[perp]

If I understand the CCC's paper correctly, as long as *even one* of the CA certs trusted by the browser uses MD5, it is possible (with considerable effort) to create an intermediate CA cert that can be used to sign a cert for any FQDN, say paypal.com. Then with a little DNS poisoning, the user is directed to an https site, with a correct domain name and (if the user looks, not bloody likely) a perfectly good certificate that looks like it was signed by a cert that was signed by a cert trusted by the browser.

You don't have to create many rogue certs, all you have to to is create one rogue intermediate CA cert that can sign as many certs as you like, all of which will be accepted with the default browser config. This is what the CCC has done.

Insecure algorithm test tool

[vanbroup]

Networking4all created a tool to check if a certificate in the chain has been signed with a insecure algorithm

Example:
http://www.networking4all.com/en/support/tools/site+check/?fqdn=www.verisign.com

You can check all sites on:
http://www.networking4all.com/en/support/tools/site+check/

Re:Insecure algorithm test tool

[DavidB]

It would be nice if someone could make a Firefox plugin to do this same check.

Not the end of the Internet...

If I understand correctly, it's only a problem for certificates that use only a MD5 fingerprint. For two of the CAs they mention in their paper as doing this, it doesn't seem to be the case: Amazon Germany (certificate from Thawte) and Commerzbank (from TrustCenter) have both MD5 and SHA-1 fingerprints. Good luck generating a rogue certificate that generates a collision in both fingerprints...

I would assume all recent certificates have both fingerprints. Anyway, making sure that the certificate you just got from your online banking site has both fingerprints wouldn't be paranoia anymore...

Re:Not the end of the Internet...

[Rayban]

It's a problem for all websites. All you need to do is forge a certificate from Amazon that uses MD5 and redirect someone's browser via Wifi hacking or DNS redirection.

The browser doesn't know that Amazon didn't use Verisign's busted MD5 cert root.

Re:its only the CA's that use MD5 so the question

[MonkeyOnATypewriter]

From TFA, the CAs that use MD5 are these:

        * RapidSSL
            C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
        * FreeSSL (free trial certificates offered by RapidSSL)
            C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
        * TC TrustCenter AG
            C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de
        * RSA Data Security
            C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
        * Thawte
            C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
        * verisign.co.jp
            O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

Rouge certificates are bad?

[frank_adrian314159]

OK, that's it! I'll only accept chartreuse and lavender certificates from now on. Maybe ivory, too.

Banking is typically slowest to change its crypto

[StandardCell]

Of all the industries that are slow to implement change in cryptographic practices, banking is by far the slowest. Part of this is bureaucratic inertia, part of this is lack of trust of newer algorithms until "proven" safe, and still part of this is reliance on legacy HSMs in their server facilities. Even the NSA has mandated a faster transition to better crypto (e.g. Suite B) than banking. Banking is still using 3DES instead of AES128, although for practical purposes brute-forcing 3DES at 112 bits of effective security isn't that much worse than AES' 128 bits. Banking won't move quickly unless someone starts stealing many thousands of high-profile accounts, but it'll be a bit like a buffalo stampede.

Still, it's mind-boggling that MD5 is still in use by anyone at this point given that it is susceptible to collisions. NSA Suite B is very clear that SHA2 256 is the minimum acceptable hash, and so it should be elsewhere regardless of your symmetric or asymmetric crypto. Back in the day when RSA512 was still used for PKI because of limited computing power, there might have been an excuse to stick to MD5. And yet, we all moved on to RSA1024 and RSA2048 because RSA512 was broken too. SHA2 is free, and it works. It really is time to move on from MD5 for all uses.

Funny enough that the entire security of the Internet as most users see it is based on the MD5 hash of the browser binary...

Reality check for Mozilla

[Burz]

First, this issue is about banks (for instance) verifying themselves to the client, not the other way around, so not sure how OTPs and such figure into this.

Overall, between the drama over one of Comodo's trustee CAs handing out certs without verification (for mozilla.com no less) and this MD5 attack, there is a lesson on this for Mozilla:

Trusted CAs aren't the epitome of web safety. In fact, they are LESS safe than one of those "Invalid" (to use Mozilla's ill-chosen words) self-signed certificates under some circumstances.

I put the ranking of https safety as follows:

1. Any self-generated cert (even self-signed) which has been directly copied from the service provider (bank, etc.) and imported into the browser.

Though this is the most secure, it is a shame that the user may receive warnings from other Firefox users who visited the site about the cert being "Invalid", undermining confidence in this most secure method of using certs.

2. Any self-generated cert (even self-signed) verified by SHA1 fingerprint "out of bank" (e.g. letter or phone call or even email) then imported into the browser. Unfortunately the easiest method to initiate this procedure (visit the site, verify then click on a button to import) is now somewhat broken in Firefox and will quite inappropriately undermine the user's confidence in what is otherwise a very secure cert.

3. Relying on the browser-trusted CAs. Unfortunately there now many of them which are obscure even in the tech community, and some are sloppy and incompetent.

Re:Reality check for Mozilla

ingdirect.ca has both

user number

then you verify computer (if changed from last login) by providing answer to some question you setup previously. This helps to identify you to the bank.

Then the bank identifies itself to you by displaying picture + phrase you chose for the bank along with the pin prompt. This prevents attacks where pin entry area is cloned on phishing site.

Problem solved.

Spoofed logins are remedied by displaying user configured contents at login prompt, like ING Direct does.

Certs just prevent Man in the middle attacks. They don't identify anything unless you trust the CA. Hence, I have my own CA for stuff I want to trust.

Re:Reality check for Mozilla

[aj50]

1. Any self-generated cert (even self-signed) which has been directly copied from the service provider (bank, etc.) and imported into the browser.

Though this is the most secure, it is a shame that the user may receive warnings from other Firefox users who visited the site about the cert being "Invalid", undermining confidence in this most secure method of using certs.

If the certificate is imported into the browser as a trusted certificate you don't get the warning, that's the point.

The invalid warnings are for when the certificate has been sent over an untrusted connection and you have no assurance that the certificate is the correct one for the site. In this case, flashing a huge warning in the user's face is absolutely the right thing to do since at the moment, all legitimate online shops have a certificate verified by a third party.

The trusted third party solution we have currently is the most convenient since it's all automatic and transparent to the user. What we're recently finding is that some of these trusted third parties are not turstworthy.

Re:Reality check for Mozilla

The picture + phrase thing does *not* protect against man-in-the-middle attacks. It just gives a false sense of security.

Re:Reality check for Mozilla

[Burz]

1. Any self-generated cert (even self-signed) which has been directly copied from the service provider (bank, etc.) and imported into the browser.

Though this is the most secure, it is a shame that the user may receive warnings from other Firefox users who visited the site about the cert being "Invalid", undermining confidence in this most secure method of using certs.

If the certificate is imported into the browser as a trusted certificate you don't get the warning, that's the point.

The invalid warnings are for when the certificate has been sent over an untrusted connection and you have no assurance that the certificate is the correct one for the site. In this case, flashing a huge warning in the user's face is absolutely the right thing to do since at the moment, all legitimate online shops have a certificate verified by a third party.

Huge warning Yes; Incorrectly-worded warning that passes judgment on the cert before the user even wonders if it can be verified... NO.

The old behavior used a big warning without condemning the cert. Unfortunately it gave the used an option to just accept the cert and make a connect without even viewing it.

The correct change to make IMO would be to remove the "Continue" button and instead force the user to import the cert before continuing with a connection. Then the certs would be handled more like SSH keys; an attacker would have to maintain constant MITM from the user's first login in order to fool them - very unlikely.

More than that, the browser could show th SHA1 finger print in any/all cert warnings. This would encourage banks, merchants, etc. to start printing their fingerprints along with their URL on bank statements, invoices or other correspondence, facilitating a strong out-of-band verification.

The trusted third party solution we have currently is the most convenient since it's all automatic and transparent to the user. What we're recently finding is that some of these trusted third parties are not turstworthy.

I agree. But the transparency is bad in this case because the responsibility can only ever be in the user's hands; the web would have to become rigidly authoritarian otherwise. People need to be able to handle keys responsibly in the digital world as they do in the physical one. PC systems should make certs and keys more tangible to end-users, letting them grab, move, examine, collect and most importantly recognize them in a heartbeat. It should be possible to designate a flash card expressly for storing certs/keys and passwords to be carried around in one's wallet, purse or keychain.

Re:Reality check for Mozilla

[Feyr]

ingdirect's picture+phrase actually lowers your security through information disclosure. a hacker can phish for valid accounts by just trying random numbers and recording which one has a picture

i actually moved my banking elsewhere when they installed that, and did the same with my main checking account.

Re:Reality check for Mozilla

[jonadab]

> Trusted CAs aren't the epitome of web safety. In fact, they are LESS safe than one of those
> "Invalid" (to use Mozilla's ill-chosen words) self-signed certificates under some circumstances.

If you have a secure channel to verify that the self-signed cert is correct, you can add it to your approved list and treat it as valid. Actually the ideal way to do things like internal self-signed certs for an intranet site is to set up your own private CA (preferably on a physically-secured, non-networked system), add it to the trusted list in the clients, and use it to sign the server certs.

And yes, the second choice would be to do an out-of-band verification (as you describe) of each cert before accepting it.

But in the real world this is all a WHOLE lot more trouble than most ordinary end-users are willing to go to in order to verify the cert for each and every public https site they are visiting.

So we have trusted CAs, because the other options are A) forget about https entirely and do everything with http, B) give the user a stupid pointless annoying "accept this cert" button to mindlessly click on (no they will NOT actually read the message before clicking the Accept button), or C) just trust all certs no matter what. These options are all considerably worse than trusting the certificate authorities.

Of course, those are the options for what the browsers can do by *default*. If you are a knowledgeable user with concerns about security, you can always remove the CA certs from your trusted list and inspect every cert manually. It's a lot of trouble, but good security isn't always convenient.

There's also the small matter of the extensive overuse of https. It seems almost every site that lets you log in wants to protect the login with https, even the login doesn't protect anything more important than your preferences for some of the site's features and maybe an "about me" blurb that other users of the site can see by clicking on your name. Every webmaster wants to feel that his site is so uber-important that it would be a disaster if somebody's login got compromised, but with a few exceptions (e.g., banks) this is mostly just arrogance. I suppose an argument could be made that users tend to use the same username/password pair for many services, and one of the *other* services the user uses with the same login credentials could actually matter. But on the whole I think this is outweighed by the fact that having tens of billions of https sites on the internet fundamentally makes the PKI vastly more difficult to oversee and protect. IMO, using https on sites where the user's account fundamentally will never ever matter (e.g., slashdot) is silly, unnecessary, and collectively (if a lot of sites do it) bad for the security of the whole internet.

Re:Reality check for Mozilla

More than that, the browser could show th SHA1 finger print in any/all cert warnings. This would encourage banks, merchants, etc. to start printing their fingerprints along with their URL on bank statements, invoices or other correspondence, facilitating a strong out-of-band verification.

Or just print half of the fingerprint, and make the user type in the other half. (Or just a byte.) That would force out-of-band verification.

Re:Reality check for Mozilla

[mvdwege]

About Firefox new certificate warnings:

The old behavior used a big warning without condemning the cert. Unfortunately it gave the used an option to just accept the cert and make a connect without even viewing it.

Nice of you to say so. Then you go and show that you actually don't use FF3, or that you are just as oblivious as the users who clicked away the old warning:

The correct change to make IMO would be to remove the "Continue" button and instead force the user to import the cert before continuing with a connection.

This is exactly what FF3 does. Which you should have known if you had read the text of the warning and the dialog boxes following.

And where do you see user condemnation in FF3's prompts?

Mart

Re:Reality check for Mozilla

it's "out of band", not "out of bank". (see rogue/rouge ...).

Spelling counts!

and really. trusting phone or mail is kinda amusing.

I did a survey of bank sites recently and a large number of them use http for basic operations (e.g. listing phone numbers). Do you want to lookup the phone number on line via the bank's insecure web site, then call the number and verify it? :). -- hint, if you do this, you're vulnerable.

How about a letter from your bank that came in the mail? Well.... if you're dealing w/ criminals willing to commit mail fraud, they could easily send you (or hand deliver) a bogus letter with their cert details.

That leaves the in person case. Just be sure you don't end up walking into a fake bank (I haven't seen these, but there are cases of fake ATMs, and if you used an insecure source to look up their address ...)

Re:its only the CA's that use MD5 so the question

[Tony+Hoyle]

Any CA that still uses MD5 should be removed from the list of trusted CAs in all browsers, with immediate effect.

Maybe a Firefox config setting

[McNihil]

Wouldn't setting security.ssl3.rsa_rc4_128_md5 to false prohibit these kind of attacks?

Re:Maybe a Firefox config setting

[kasperd]

Wouldn't setting security.ssl3.rsa_rc4_128_md5 to false prohibit these kind of attacks?

Interesting question. From the name it does sound like this option would do. But frankly I don't know how I would verify it. The article doesn't link to any proof of concept site. I wonder why they didn't setup an https server with a certificate signed by their rogue certificate. (They could have done so for a server they already control, so no mitm attack would be involved).

Re:Maybe a Firefox config setting

[u38cg]

They delibarately created their root certificate with an expiry date of 2004, in case it leaked. So there was no point creating a proof-of-concept as it wouldn't work anyway.

Re:Maybe a Firefox config setting

[kasperd]

They delibarately created their root certificate with an expiry date of 2004, in case it leaked. So there was no point creating a proof-of-concept as it wouldn't work anyway.

You'd of course have to set the clock on your machine back to the time where the certificate was valid if you wanted to see the proof of concept. It wouldn't mean you could access the site directly with any normal browser, but at least you'd be able to see it if you really wanted to, and you could test any countermeasures against it. Come to think of it, they could also just publish such a signed certificate along with the secret key. An expired leaf certificate for an uninteresting domain is not useful for any phishing or mitm attacks anyway.

Re:Maybe a Firefox config setting

[julesh]

Wouldn't setting security.ssl3.rsa_rc4_128_md5 to false prohibit these kind of attacks?

I don't think so, no. First of all, I'd guess that that setting only applies to SSL3; the attacker could simply choose to use SSL2 instead. Secondly, I believe that this applies only to the MAC blocks that are used within the SSL protocol for validating the origin of data blocks; the certificates would be verified using an entirely separate code path that I do not believe honours the cipher options for the connections.

Look at it this way: you could *also* disable all the cipher options that use SHA. If that affected certificates, almost nothing would work.

Re:Maybe a Firefox config setting

[ArsenneLupin]

You'd of course have to set the clock on your machine back to the time where the certificate was valid if you wanted to see the proof of concept.

Many browsers display the reason(s) why a certificate is rejected. So, in this case, it would say "Expired certificate and invalid CA in chain of trust"

Re:Maybe a Firefox config setting

[ArsenneLupin]

But frankly I don't know how I would verify it.

Well, it should barf on any site signed by RapidSSL, even legitimate ones. Does anybody have an example of a site signed by RapidSSL?

Another way to test it would be would to set up your own CA using openssl, import it into your browser, then create an MD5-signed sub CA certificate for it, and finally use the sub CA to make a certificate for your website. But does anybody know how to convince openssl to use MD5 rather than SHA-1 for signing certificates?

Re:Maybe a Firefox config setting

[kasperd]

Well, it should barf on any site signed by RapidSSL, even legitimate ones. Does anybody have an example of a site signed by RapidSSL?

You can't really be sure that it treats intermediate CA certificates the same way it treats leaf certificates unless you actually verified it.

Another way to test it would be would to set up your own CA using openssl, import it into your browser, then create an MD5-signed sub CA certificate for it, and finally use the sub CA to make a certificate for your website. But does anybody know how to convince openssl to use MD5 rather than SHA-1 for signing certificates?

I probably should try that, it would also give a slightly better feeling for how the signing process works in practice. But right now it would be nice to be able to verify this setting without going through the steps of setting up the entire chain.

Re:Maybe a Firefox config setting

[kasperd]

So, in this case, it would say "Expired certificate and invalid CA in chain of trust"

It wouldn't in the scenario I described. If you set the clock back the browser wouldn't consider the certificate to have expired. And to the browser the CA looks perfectly valid. Are you thinking about a different setup from the one I described?

Re:Maybe a Firefox config setting

[ArsenneLupin]

Not sure what you are going on about, I just tried to helpfully point out that many browsers actually do supply the reason(s) why a certificate was rejected in their popup message, even if there are multiple reasons. That way, you don't need to mess with the clock, because the browser will tell you whether the fact that the certificate was expired was the only reason why it was rejected, or whether there were other reasons as well.

We once had a case where a server had a certificate with 3 problems at once: expired, self-signed and mismatched hostname. Browsers pointed out all 3 problems together.

Re:Maybe a Firefox config setting

[kasperd]

Wouldn't setting security.ssl3.rsa_rc4_128_md5 to false prohibit these kind of attacks?

After reading about it on lwn.net, I learned that this setting does not protect you against this particular problem (but setting it to false doesn't hurt). I also learned that the certificate for lwn.net is signed using md5, so if the setting worked you would get a warning or error when trying to access lwn.net with https. If you want to try it out yourself here are two sites with md5 based certificates lwn.net and ssl247.com. It's just the leaves that are signed using md5, if the attack was used it would moste likely be an intermediate CA that was signed using md5. I tested this in both firefox and seamonkey, neither gave any warning.

Rouge students and some more insight

[owlstead]

Strange bunch of hackers. Don't expect some rouge students here, one is Arjen Lenstra, which is a well known figure in the security scene.

Very interesting to see that not only do they issue certificates using MD5 signatures (a very stupid thing to do) but they haven't even bothered to make sure that only leaf certificates can be issued. Or there are probably other CA certificates already issued under these root CA's, making matters even worse.

The article was very well written and thus easy to read. I'm only concerned about the recommendation of the authors to do nothing if you've been issued an MD5 certificate yourself. Doing nothing does not seem to be a very good advice. I would myself go to another shop and get a SHA-1 signed certificate (or even a SHA-2 signed certificate for those not concerned with low level browsers). At least your customers will know that there is no man in the middle due to the MD5 issue, and you show that you care for your clients' security.

Hopefully SHA-1 will hold up a bit longer, because last time I looked (a year ago or somewhere in that order), there were zero (0!) certificates that were self signed using SHA-2, which is not a good indication of the current state at all.

Gosh, that's the second CA I've disabled within Firefox just this week. Interesting times.

Re:Rouge students and some more insight

[Simon+(S2)]

I'm only concerned about the recommendation of the authors to do nothing if you've been issued an MD5 certificate yourself. Doing nothing does not seem to be a very good advice. I would myself go to another shop and get a SHA-1 signed certificate (or even a SHA-2 signed certificate for those not concerned with low level browsers). At least your customers will know that there is no man in the middle due to the MD5 issue, and you show that you care for your clients' security.

You can't really do anything about it. A man in the middle attack will always be possible. They generated a CA certificate, and with that cert they can sign self generated certs for every host they want, and the client browser will trust it. You, as a site owner, can't do anything about it. The attacker can spoof the dns response for www.bank.com, redirect the client to his own box with his own web server and valid certificate for www.bank.com and get all data the client sends him. As I sad, www.bank.com is not able to prevent anything in this case, even if they avoid the use of CAs that make use of MD5 for their certs.

Re:Rouge students and some more insight

[owlstead]

I don't think banks will be using MD5 at this point in time. RapidSSL does not seem to be a name for a CA that issues to banking sites (I could be wrong here, but I doubt it). At least the client (or an updated browser) will be able to check the certificate chain to see that it does not have the MD5 vulnerability if the chain doesn't have MD5 in it, if the certificate has been updated to hold a SHA-1 signature.

You only need one client that sees a problem with a site for the site to be taken down or put in the malware list used by modern (non-embedded?) browsers. So this might be a solution for some cases.

Re:Rouge students and some more insight

[Simon+(S2)]

I don't think banks will be using MD5 at this point in time.

That is not important. CAs that use MD5 for their cert signing are already in the browsers list of trusted CAs. It is not important what CA the banks use for their own certs for this attack to work.

Re:Rouge students and some more insight

[gclef]

I would myself go to another shop and get a SHA-1 signed certificate (or even a SHA-2 signed certificate for those not concerned with low level browsers). At least your customers will know that there is no man in the middle due to the MD5 issue.

Unfortunately, no, they won't. An MD-5 signed intermediate cert can quite happily issue certs signed with SHA-1. (They did just this as part of their testing.) There's no requirement for the signing chain to be signed with the same algorithm.

The fact that your end certificate is SHA-1 signed really doesn't mean anything to the end user. If your cert is MD-5 signed, all that could possibly mean is that your CA at one time did something stupid. Whether it is still doing that stupid thing (or already did that stupid thing for an attacker) is something that the end user has no way of knowing...the end user really is basically screwed here.

Re:Rouge students and some more insight

[owlstead]

That is not important. CAs that use MD5 for their cert signing are already in the browsers list of trusted CAs. It is not important what CA the banks use for their own certs for this attack to work.

Of course, of course, this is true for the *current* browsers. Even then, it is possible for people to check the certificate chain manually. I do this regularly myself (I've got a separate browser instance - Firefox with a different profile - with just the right certificates in there for security means).

In future browsers I would like to see a warning when:
- MD5 or other insecure algorithms may have to be used (in the future other algorithms such as SHA-1, RSA-1024 or even TDES may be at risk)
- a site I've visited before (suddenly) changes certificates
- a CA certificate has been compromised or misused (same as with the current protection against fishing sites)

For now, sites should already go for SHA-1, if only to show to the user that *they* are not the problem. The user can then check the chain to see if there is any MD5. Of course, most users won't do this, but only a single one has to be attacked to find out something is wrong.

Out-phasing the MD5 root certificates (or at least those still signing certificate requests with MD5) should be the next logical step.

Re:Rouge students and some more insight

[owlstead]

If the administrator of a web site goes to a CA and request a SHA-1 certificate, if possible within a chain that only contains SHA-1 signatures, then the user of the site can be certain that this attack has not been taken place. Of course, the user or the browser still has to check that MD-5 has not been used (possibly outside of the self signed root certificate, where it is rather harmless).

Hoping this description fares better than the previous one.

Re:Rouge students and some more insight

[jesboat]

but they haven't even bothered to make sure that only leaf certificates can be issued.

Nope; the CA only signed a what you call a leaf certificate, but the constraint which determines whether a key can is a branch ("CA = true") or leaf ("CA = false") was part of the cert that they were able to change. See the last paragraph of section 5.1

Re:Rouge students and some more insight

[owlstead]

You, sir, are of course correct.

Free virus with a new account!

[oneiros27]

I can see this going the way of the digital picture frames.

Re:its only the CA's that use MD5 so the question

[peacefinder]

Ouch.

red certificates?

[speculatrix]

what's a rouge certificate - why does the colour matter? ah, I see, maybe the OP mean a rogue certificate!

Re:its only the CA's that use MD5 so the question

It's not quite as bad as it sounds. Their attack relies on guessing the certificate serial number and date correctly, which is easy with the CA they chose: RapidSSL uses a completely automatic workflow, issues certificates exactly 6 seconds after the signing request and uses sequential serial numbers. If the CA randomizes the signing date and serial numbers, they can prevent this attack. If this CA does that, and they've promised they will do this and/or switch to SHA-1 ASAP, then this hole is patched, for now. If at least one other CA exists which uses MD5 for signing certificates AND uses sequential serial numbers AND has predictable timing, then that CA is indeed an avenue to attack.

They have to guess these parameters because it's a collision attack: They can not create a new document with the same MD5 hash value as a given document (an existing certificate in this case). They can only create two documents with the same MD5 hash value, if they can add some arbitrary (random looking) bytes to both documents. They use the public key in the legitimate certificate to hide this "garbage". Consequentially the legitimate certificate is non-functional because the key in the certificate isn't an actual public key to which they know they private key. When the CA signs their legitimate certificate, with the right serial number and at the right time, it signs a document which is crafted to have the same MD5 as the other certificate. All other data can be chosen directly by the attacker and just has to conform to the formal specification of a certificate signing request (and look unsuspicious, hence hiding the garbage in the key). The other document (certificate) also has to be a formally valid certificate and can use arbitrary serial numbers and dates, as long as the garbage is hidden in a field that is ignored by the browser (Netscape comment field in their example).

Ok, KD5 must go

[marcosdumay]

To the hell with backward compatibility. Browsers should already have stoped accepting MD5 signatures by 2004. It was broken by that time, the fact that there was no known exploit did not make it any less bad. By that time people aready used alternatives and tought it would be broken soon, so why did CAs wait?

I hope that, now, the main browsers stop accepting it, and with all that noise about the way Firefox handles certificates, I hope it moves soon. Too bad we have IE6 that probably won't receive any kind of update.

Trusted Certificates in XP vs Vista

[kerubi]

Good conclusions. You write that RapidSSL and FreeSSL should be pulled from IE and Netscape.

Interesting point about this is, that there is only approx 30 Trusted CA:s in Windows Vista. Compared to how many in XP? 80-100 or so?

Seems that some have already been pulled?

Re:its only the CA's that use MD5 so the question

[SpaceLifeForm]

And that is what was done.

Link

A powerful digital certificate that can be used to forge the identity of any website on the internet is in the hands of in international band of security researchers, thanks to a sophisticated attack on the ailing MD5 hash algorithm, a slip-up by Verisign, and about 200 PlayStation 3s.

"We can impersonate Amazon.com and you won't notice," says David Molnar, a computer science PhD candidate at UC Berkeley. "The padlock will be there and everything will look like it's a perfectly ordinary certificate."

Re:its only the CA's that use MD5 so the question

[AVee]

They use the public key in the legitimate certificate to hide this "garbage". Consequentially the legitimate certificate is non-functional because the key in the certificate isn't an actual public key to which they know they private key.

So there is another check which would prevent this attack. The CA should verify the public key passed on to them, it would be a lot harder to create a request which would cause a collision. It seems to make sense to check in some way that the public key you are signing does indeed match a private key owned by the entity you are signing it for.

Re:its only the CA's that use MD5 so the question

Yes, there are lots of band-aids you can put over this vulnerability, but it would certainly be easier to just switch to a better hash algorithm. The important bit is that not all MD5-using CAs are automatically vulnerable to this attack, although this should really serve as their wake-up call. The complete predictability of the signed data (due to predictable timing and sequential serial numbers) is what makes this attack possible.

Re:You know what I hate?

[cbiltcliffe]

You're on /. and you've actually seen panties?

Stop making shit up.....

collision attacks are easy to identify

[conspirator57]

note that the collision attack requires a bit of junk in the cert to make the hash be the same as for the original... this means the junk will not look like the rest of the cert. the rest of the cert is formatted and the collision noise will look mostly random. a simple test for unexpected randomness in the cert data (including Netscape comments) would reveal this sort of mischief. it just takes a bit of code on the browser to look for it. shouldn't even degrade browsing performance too much.

Re:collision attacks are easy to identify

[makomk]

note that the collision attack requires a bit of junk in the cert to make the hash be the same as for the original... this means the junk will not look like the rest of the cert. the rest of the cert is formatted and the collision noise will look mostly random. a simple test for unexpected randomness in the cert data (including Netscape comments) would reveal this sort of mischief. it just takes a bit of code on the browser to look for it. shouldn't even degrade browsing performance too much.

For this attack, yes, but there may be other similar attacks which don't create this junk.

Re:collision attacks are easy to identify

The "junk" is embedded in the public key and not detectable by inspecting the certificate.

Re:collision attacks are easy to identify

[makomk]

The "junk" is embedded in the public key and not detectable by inspecting the certificate.

This is only true for the original, genuine certificate that the CA signs. In the malicious CA certificate, there is indeed junk embedded in a Netscape comment field that shouldn't be there.

The reason the junk isn't hidden in the public key is that, in order to mark the cert as a CA cert, they have to change a flag after the public key. Their method requires the certificates to be identical after the junk, so they have to do some clever tricks with alignment of the certificates.

Re:You know what I hate?

I solve this problem by not wearing underwear.

Re:its only the CA's that use MD5 so the question

[SanityInAnarchy]

Thus rendering large portions of the SSL-enabled Web inaccessible, or at least having them throw up certificate warnings.

There really isn't a good solution here, given how poorly trained most users are, and how difficult it is to actually push updates to them.

MD5? And bigger problem?

[BigGerman]

I dont see any MD5 (only) signed CA certs in my Firefox. DO you?

On the other hand (and I think it is more serious). why there are so many CA certs installed by default? Why do I (apperently) trust anything signed by TURKTRUST ELECTRONIK? ;-)

You're missing the point.

The problem is that you only need to be able to spoof ONE "trusted" CA to be able to forge SSL certs for any site on the net, regardless of where that site's "real" SSL cert was issued. It doesn't matter WHICH CA you actually use.

In this exploit, the attackers managed to obtain an "intermediate CA" certificate--this is a certificate used to sign other certificates on the CA's behalf. This means they could issue a certificate for ANY site, and it would look to all browsers like it was issued by the trusted company. Yes, this is possible--read the article.

Let's say Citibank has a real SSL cert is issued by Verisign, who doesn't use MD5. Now let's say I'm a black hat who's somehow phished traffic headed to Citibank (e.g. by a DNS poisoning, clever spam, etc.). I can issue an SSL cert to my phishing site that's "signed" by a trusted CA (I think they spoofed RapidSSL) that claims to be issued to Citibank.

The browser has no idea that Citibank's SSL cert "should" be issued by VeriSign. It sees an SSL cert that's "properly" signed by a trusted CA, and greenlights the page. No warnings about untrusted CA's, no self-signed certificates, no nothing.

Once you can spoof a Trusted CA, whose root certificate comes distributed with your favorite browser by default, you have the keys to the kingdom.

Re:its only the CA's that use MD5 so the question

[Mashiki]

While I agree it's not a good solution and until the problem is fixed there isn't going to be one. Some people are just too stupid to learn, others are too lazy and the rest don't care until it affects them, and that leaves everyone else to fix the problem or make sure that you break their fingers for them so they don't get their bank/cc/*insert various money exchange* information stolen.

And you can bet there will be hell to pay the first time it happens and people will scream bloody murder because it will be anyones fault but theirs for not learning in the first place.

A practical suggestion

Mail the support e-mail of your favorite browser demanding they drop Trusted CA status for any of the CA's still issuing MD5 signed certificates until they stop issuing them. There's a list of the problem CA's in TFA and elsewhere here. There's simply no reason to allow this kind of security hole to keep existing.

Mod parent up

Constraining the content allowed in certificate files should improve the robustness of certificate files.

This approach is notable in that it requires updating SSL implementations to be more stringent -- but it generally shouldn't require changes in the x509 data. Some considerations:

• New certificates can be backward compatible with unpatched SSL implementations.
• Most old certificates can be forward compatible with patched SSL implementations. The problem cases will come from esoteric "Extensions".
• Unpatched SSL implementations remain vulnerable.
• A huge range of SSL implementations can be patched by vendors' automatic update mechanisms.
• Each vendor can set its own timeline for deploying a patch.
• This type of patch would not be peculiar to MD5 -- it should mitigate the damage caused by weaknesses in current and future hash algorithms.

IANAPC,BIRACBBS!

Re:You know what I hate?

Probably wears 'em.

Not to mention...

[argent]

Not to mention that many governments would not need to break the root CA.

They could just "ask" the CA to write them as many certificates as they like. Given what the Bush Administration's already got away with, there's no reason to assume any CA is really secure in any country.

With SSH, a certificate/key change would at least be flagged as suspicious, but would a browser even so much as raise an alert as long as the new certificate is properly signed and all that?

Indeed. I've been boggled by the byzantine labyrinth of certificate authorities when for most situations the mechanism used by SSH is better.

Opera browser can revoke root certs itself

If needed, Opera 9.50 and newer versions can automatically disable rogue root certificates.

http://my.opera.com/yngve/blog/2008/04/08/new-in-kestrel-faster-root-certificate-updates

Obligatory Futurama

This machine will translate any language that ever has existed, unfortunately it will only translate them into an incomprehensible dead language.

Ce que vous pensez est des moutons merde.... c'est vraiment Tasty Wheat.

Crazy Gibberish!!

Re:Obligatory Futurama

[ta+bu+shi+da+yu]

Oh, I don't know. "What you think is sheep shit .... it's really Tasty Wheat" seems about right to me.

Insult to injury

[GeekDork]

To add the two, I got an inline ad to this in this thread. (Konqueror helpfully offered to open it in KWrite.)

not a one-time pad

[SethJohnson]

My bank at least also uses a one-time pad system, namely a numbered list of 100 pre-generated codes.

Just to let you know, that's not a one-time pad. Unless you can only perform 100 logins with that pad. "If a one-time pad is used just twice, simple mathematical operations can reduce it to a running key cipher."

Re:not a one-time pad

Unless you can only perform 100 logins with that pad. That is the key phrase. Of course you can perform only 100 logins (transactions) in fact, as each number can be used only once.
The reason it is still not very safe is that people can be (and are) lured into providing the numbers on the pad to phishers.

Re:not a one-time pad

[jonbryce]

For payroll transfers submitted by fax, most British banks use a one time pad to verify the fax is legit.

You get a sheet of 12 passwords, in the form of labels that you peel off and stick on the transfer form. When you have used up the sheet, you get a new one with a different set of 12 passwords on it.

Re:not a one-time pad

[KDR_11k]

The TANs are used per transaction, not per login. Not sure they're OTPs though, might be a bit short for that and the bank doesn't know which one of your 100 codes you'll enter next so using them as OTPs wouldn't work. Wikipedia sounds like the point is to give you a physical object (the TAN list) that you must possess in addition to the password that you memorize to get two factor authentification.

Oxymoron

[John+Hasler]

> These certificates are at the basis of truth on secure websites.

"Secure Website" is an oxymoron.

Research Rainbow tables..

[Junta]

It's not a magical MD5 sum cracker, it's just a way of having an index of pre-computed strings that checksum to various values.

The only ubiquitous usage that is vulnerable to this attack is Microsoft SAM database. Many one-off applications similarly implement unsalted hashes. Unices salt passwords and are therefore not inclined to suffer. It doesn't matter the hashing algorithm in use, they are not particularly differently susceptible to this sort of attack. Note also that cracking the hashes in the SAM database is not even required, as NTLM has the client provide the pre-computed hash instead of password. It's really an extra-braindead architecture.

how to check your certs

[Morty]

# the below are bash functions for checking cert files
#   and web servers cert signature algorithms.
# note: they are non-recursive, i.e. you see the algorithm
#   used to sign the cert, not the algorithm that was used
#   to sign the cert that signed the cert.

# morty: call like openssl_cert_signature_algorithm CERT_FILE
openssl_cert_signature_algorithm(){
  local file
  local algorithms status
  for file in "$@"; do
    algorithms=$(
      openssl x509 -in "$file" -text -noout |
      grep -i "Signature Algorithm"|
      sed 's,^ *Signature Algorithm: *,,'|
      sort -u)
    case "$algorithms" in
      *md5*) status=BAD;;
      *sha1*|*sha2*) status=GOOD;;
      *) status=unknown;;
    esac
    echo "file: $file status: $status algorithms: $algorithms"
  done
}

The following can be used to test a server:

# morty: call like: openssl_server_md5_signature www.google.com:443 www.amazon.com:443
openssl_server_md5_signature(){
  local server
  local algorithms status
  for server in "$@"; do
    algorithms=$(
      openssl s_client -connect "$server" </dev/null 2>/dev/null | \
      openssl x509 -in /dev/fd/0 -text -noout |
      grep -i "Signature Algorithm"|
      sed 's,^ *Signature Algorithm: *,,'|
      sort -u)
    case "$algorithms" in
      *md5*) status=BAD;;
      *sha1*|*sha2*) status=GOOD;;
      *) status=unknown;;
    esac
    echo "server: $server status: $status algorithms: $algorithms"
  done
}

Re:how to check your certs

[julesh]

Not that there's any actual point in checking your own certificates. The weakness in MD5 doesn't allow them to generate a certificate that matches yours with their own signature, it only allows them to generate their own certificate with whatever data they want. Basically: the algorithm used by your cert is irrelevant.

I wouldn't panic (yet) if you're still using an MD5-signed certificate. Generating collisions with MD5 (so far) requires you to generate both halves of the collision. As long as you produced your own cert, that isn't a problem for you.

This attack, OTOH, is a problem for _everyone_.

Re:how to check your certs

[Morty]

I suspect that many people will react to this problem by either disabling support for the affected CAs or by disabling support for MD5 certs. In either case, people who have innocent MD5 certs will be collateral damage. So best to get off MD5 certs now.

Re:how to check your certs

[julesh]

The number of people who would know how to do this is vanishingly small. At a guess the fallout will be that over the next month or so all the relevant CAs will fix their procedures and the problem will go away.

Re:its only the CA's that use MD5 so the question

[kasperd]

Any CA that still uses MD5 should be removed from the list of trusted CAs in all browsers, with immediate effect.

Why? It would be much better to just remove the MD5 support from the browser.

Re:its only the CA's that use MD5 so the question

[kasperd]

So there is another check which would prevent this attack. The CA should verify the public key passed on to them, it would be a lot harder to create a request which would cause a collision.

According to the article, the CA does verify it. Only the first part of the modulus is random garbage created by the collision algorithm. Once they have a collision, they can choose the rest of the certificate, so they choose the remaining part of the modulus in a way that together with the random garbage make up a valid RSA modulus.

Re:its only the CA's that use MD5 so the question

[PAjamian]

If I understand the CCC's paper correctly, as long as *even one* of the CA certs trusted by the browser uses MD5,

Not quite, but close. It doesn't matter what the CA's cert uses, what matters is the encryption the CA uses to sign *your* cert. The difference here is that everyone need not have to get their browser updated with new root certs to avoid this problem. All that needs to happen is that CA's need to stop signing certs with md5.

Re:Enough about Kaminsky, seriously.

[rtfa-troll]

Kaminski is an internet Meme. Complaining that a security story mentions him is like complaining that Cmdr Taco isn't related to sex godesses (who would you most like to have home for a beer? Jolie / Johansson / Pressly / Bundchen / Aston / Casta / Cmdr Taco). You just seem like a total pervy loser.

CCC

These people are the only ones that keep amazing me for well over a decade.

Hats off to them, they made me go "WTF?" list twice today, a list that kaminsky _barely_ made it into a couple of months ago.

Re:You know what I hate?

[julesh]

You're on /. and you've actually seen panties?

Stop making shit up.....

Psssst. I know this great lingerie shop that's got racks and racks of the things, all out on display... do you wanna know the address?

Who's responsible for the mis-uses?

[ug93tad]

OK, let me try if I can restate the problem first, then I'll give the question:

So:
1. You want the CA to *sign* a rouge certificate by having it fooled into signing a legitimate, hash-colluded one.
2. In order to do that, you must carefully choose the legit certificate and ask the CA to sign, while using the rouge ones for bad things.

Now clearly when asking the CA to sign, you ought to agree with some of the legal stuff from the CA. The problem I see lies in this scenarios:
(a) You use the bad certificate to do bad things that affect me.
(b) I somehow trace it back to the problem of the certificate being rouge/malicious, etc. I further backtrack the CA tree and found the one that sign your legit certificate.
(c) I file a law suit, and the CA that signed your cert will then know that its misused signature is for you. Then you'll get into troubles.

SO YOU'RE SHOOTING YOURSELF IN THE FOOT.

You can say that's the way it is, since one of your millions enemies may have framed you. Well, I think it's in many order of magnitude more difficult finding a hash-collisioned certificate to a random legit one. So I don't think so.

Re:its only the CA's that use MD5 so the question

This isn't precisely accurate. As long as a CA trusted by the browser issues MD5 and the browser accepts the MD5 signature.

It is possible for a browser to trust a CA and choose to ignore MD5 signatures (there are patches to do this).

However, we're talking about a large number of installed Certificates which would overnight become invalid (one browser update at a time).