[Top] [All Lists]

Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

2008-12-30 15:20:00

At Tue, 30 Dec 2008 13:33:46 -0500,
Jeffrey Hutzelman wrote:

--On Tuesday, December 30, 2008 11:05:28 AM -0500 Russ Housley 
<housley(_at_)vigilsec(_dot_)com> wrote:

MD5 considered harmful today
Creating a rogue CA certificate

December 30, 2008

Alexander Sotirov, Marc Stevens,
Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de

We have identified a vulnerability in the Internet Public Key
Infrastructure (PKI) used to issue digital certificates for secure
websites. As a proof of concept we executed a practical attack scenario
and successfully created a rogue Certification Authority (CA) certificate
trusted by all common web browsers. This certificate allows us to
impersonate any website on the Internet, including banking and e-commerce
sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic hash
function that allows the construction of different messages with the same
MD5 hash. This is known as an MD5 "collision". Previous work on MD5
collisions between 2004 and 2007 showed that the use of this hash
function in digital signatures can lead to theoretical attack scenarios.
Our current work proves that at least one attack scenario can be
exploited in practice, thus exposing the security infrastructure of the
web to realistic threats.

This is a practical application of an approach that I remember being 
brought up during discussions about MD5 at a saag meeting some time ago.  I 
also recall someone mentioning at the time that many/most CA's were already 
issuing certificates with random rather than sequential serial numbers, 
which would have thwarted this particular attack.

Yep. Would that they all were.

FWIW, here is my writeup of this issue, targeted towards a broader