CA Certificate Forged!

As if the Comodo scandal wasn't bad enough, now a group at UC Berkeley have
brute forced MD5 collisions to generate their own valid RapidSSL/Verisgn CA
certificate!

Researchers Use PlayStation Cluster to Forge a Web Skeleton Key
http://blog.wired.com/27bstroke6/2008/12/berlin.html

Regards,

nemo_outis

"nemo_outis" <> wrote in
news:Xns9B84C6CBC894Dpqwertyu@69.16.185.247:

> As if the Comodo scandal wasn't bad enough, now a group at UC Berkeley
> have brute forced MD5 collisions to generate their own valid
> RapidSSL/Verisgn CA certificate!
>
> Researchers Use PlayStation Cluster to Forge a Web Skeleton Key
> http://blog.wired.com/27bstroke6/2008/12/berlin.html
>
> Regards,
>

More on the CA Certificate Scandal (with a completely erroneous headline!):

Web browser flaw could put e-commerce security at risk
http://news.cnet.com/8301-1009_3-101...dStoriesArea.1

Regards,

nemo_outis

David H. Lipman wrote:
> From: "nemo_outis" <>
>
> | As if the Comodo scandal wasn't bad enough, now a group at UC Berkeley have
> | brute forced MD5 collisions to generate their own valid RapidSSL/Verisgn CA
> | certificate!
>
> | Researchers Use PlayStation Cluster to Forge a Web Skeleton Key
> | http://blog.wired.com/27bstroke6/2008/12/berlin.html
>
> | Regards,
>
> US-CERT Current Activity
>
> Rogue MD5 SSL Certificate Vulnerability
>
> Original release date: December 30, 2008 at 5:05 pm Last revised:
> December 30, 2008 at 5:05 pm
>
>
> US-CERT is aware of a public report describing how MD5 collisions can be
> leveraged to generate rogue SSL CA certificates. A rogue CA certificate
> could be used by an attacker to generate valid SSL certificates for
> arbitrary web sites. Using these certificates in DNS redirection
> attacks, an attacker could spoof an SSL protected web site and obtain
> sensitive information.
>
> US-CERT will provide additional information as it becomes available.
>
> Relevant Url(s):
> < http://www.win.tue.nl/hashclash/rogue-ca/ >
>
> ====
> This entry is available at
> http://www.us-cert.gov/current/index..._vulnerability
>

Hmm, this signature does not verify correctly. Does this verify
correctly for others? (I'm using 0x3E1F88AB)

--
Tom

Tom

nemo_outis wrote:

> More on the CA Certificate Scandal (with a completely erroneous headline!):
>
> Web browser flaw could put e-commerce security at risk
> http://news.cnet.com/8301-1009_3-101...dStoriesArea.1

So, in IE7, to check that I'm visiting a site that uses SHA1 for
encoding the cert signature instead of the long-known vulnerable MD5
algorithm, I go to View -> Security Report, View Certificates, Details,
and look at the signature algorithm used. I tried a few HTTPS sites to
see what signature algorithm they used:

- Yahoo Mail & Gmail
- My ISP's webmail login
- My bank
- My online credit card account
- PayPal
- Fedex and UPS
- My public library login
- Newegg.com
- Northwest and Sun Country airlines
- Expedia, Orbitz, & Travelocity

They ALL use SHA1 encoding. So who still uses MD5 encoding? RSA has
been recommending migration from MD5 to SHA1 since 1996
(www.rsa.com/rsalabs/node.asp?id=273. I know an MD5 hash is still
commonly used to validate a download file but then you aren't validating
the source of the file, just its contents. I don't recall when I last
saw MD5 used in SSL cert signatures. However, since Verisign said,
according to the above article, that it was previously phasing them out
and then took measures to completely get rid of them after this
announcement then there must've still been some old certs out there that
were still active (i.e., prepaid for many years) and still used MD5.

VanguardLH

VanguardLH wrote:
> So who still uses MD5 encoding?

From the report[0]:
> There were six CAs that had issued certificates signed with MD5 in
> 2008:
> - RapidSSL
> - FreeSSL
> - TC TrustCenter AG
> - RSA Data Security
> - Thawte
> - verisign.co.jp

The attack just required a CA to issue a certificate (which the group of
researchers had created to collide with another cert they had created,
which acted as a CA) signed with MD5, to this group of researchers, who
have details which they'll release in a month (this will give CAs time
to change infrastructure such that they'll never give out an MD5 signed
certificate).

I /think/ that was the jist of it. I am not a cryptographer. Read the
report for more details.

[0] http://www.win.tue.nl/hashclash/rogue-ca/#sec5

--
Tom

Tom

Guy Macon wrote:
> Does anyone know off the top of their head whether it is possible
> to disable MD5-based certificates in FireFox?

I don't know if disabling MD5-based certificates would work. (It still
might be considered a good thing to do, as a precautionary thing, since
MD5 is flawed)

The problem was that exploiters could get a fake CA cert, with which
they'd able to sign (using SHA-1, for example) another cert, with which
they could use man-in-the-middle attack you.

Root CA <-SHA1-> CA <-MD5-> Fake CA <-SHA1-> Fake paypal.com

(where a <-foo-> c indicates a signed b's certificate with hash foo)

I guess that would be a harder thing to disable.

Possibility in Firefox? *shrug*

Disclamer: I am not a cryptographer.

--
Tom

Tom

Guy Macon wrote:
> Does anyone know off the top of their head whether it is possible
> to disable MD5-based certificates in FireFox?

Actually, this wasn't off the top of my head but you might want to
investigate what security.ssl3.rsa_rc4_128_md5 is. This is a variable in
about:config.

--
Tom

Tom

Guy Macon <http://www.GuyMacon.com/> writes:
> Does anyone know off the top of their head whether it is possible
> to disable MD5-based certificates in FireFox?

The Mozilla maintainers are working on a code update that disables
md5-based certificates:

https://bugzilla.mozilla.org/show_bug.cgi?id=471539

I don't see a way for end-users to turn them off short of either
modifying the code or disabling all certificates completely, since any
of the CA's with roots in the browser could suddenly start issuing
MD5-based certificates. But, only a few CA's are actually in the
practice of issuing such certificates right now, and you could turn
off those CA's. This would break a bunch of subscriber certificates,
but maybe you can live with that. It's unlikely that any other CA's
are likely to start using MD5 if they're not already doing it.

Paul Rubin

VanguardLH wrote:
>So who still uses MD5 encoding?

Read the paper; it states that a number of CAs did/do use MD5.
In particular, RapidSSL (Verisign) used MD5 up until the researchers
discovered this attack, and changed only away from MD5 after the
researchers discovered this attack. Of course there are many, many
CAs, and most CAs (to their credit) did migrate away from MD5 long ago;
but not all of them.

>However, since Verisign said,
>according to the above article, that it was previously phasing them out
>and then took measures to completely get rid of them after this
>announcement then there must've still been some old certs out there that
>were still active (i.e., prepaid for many years) and still used MD5.

I suspect you got fooled by Verisign's spin. I suspect a more accurate
description might well go something like this: Cryptographers have been
warning people to migrate away from MD5 for at least four years; RapidSSL
/ Verisign did nothing for that entire time. Then when Verisign learned
of the researchers' latest results, which finally proved the risk in
an absolutely undeniable way, they put in place an emergency program
to move away from MD5, because they realized that otherwise they would
look foolish. The researchers took steps to pass along the information
to RapidSSL / Verisign before publication, via an intermediary,
and Verisign used this advance warning to change their code to stop
using MD5. Now Verisign is trying to claim credit for doing this and
insinuating (without actually saying it) that they'd been planning to
do this all along, regardless of the researchers' work, to try to take
credit and deflect the blame onto others -- but in reality it's all just
a cynical PR game to try to protect their brand, and they had no real
plans to do anything until the researchers came along. Note that this is
speculation on my part, and I can't prove it's what really happened, but
based on what I've seen so far I suspect it's the most likely explanation.
If you go read Verisign's wording very carefully, and follow the incident
closely, I think you'll see what I mean. Never underestimate the power
of a large corporation's PR department in full damage-control mode.

David Wagner

(David Wagner) writes:
> In particular, RapidSSL (Verisign) used MD5 up until

Are you sure that RapidSSL is part of Verisign? They at least started
out as one of Verisign's bargain basement competitors, chained to the
Geotrust root, and their "about" page also says Geotrust. Geotrust in
turn was (iirc) a spin-off of Equifax, the big credit agency that got
into the CA business by getting a chained CA root signed by Thawte.
Thawte later was acquired by Verisign leading to Mark Shuttleworth
becoming the world's first private astronaut, but prior to that,
Thawte was for a while Verisign's only competitor. I've always
thought Verisign's acquisition was to stop Thawte from minting yet
more competitors like they did with Equifax.

Paul Rubin