Subject: A better approach to security
List archive
- From: Bernhard Froehlich <ted AT convey.de>
- To: A better approach to security <cacert AT lists.cacert.org>
- Subject: Re: [CA cert] SSL Broken?
- Date: Mon, 05 Jan 2009 10:05:53 +0100
Christophe Meessen schrieb:
Christoph A. a écrit :This is how I see it:
Jan Pieter Cornet wrote:
It's rather hard for end-users to detect
these certificates (if not impossible)
SSL Blacklist now detects and warns about certificate chains that use
the MD5 algorithm for RSA signatures.
http://www.codefromthe70s.org/sslblacklist.asp
If I understood correctly, the problem is the generation of forged certificates with the same MD5 as a genuine certificate by exploiting MD5 collisions. Setting the CA flag in this forged certificate allows to sign other certificates on behalf of the rootCA.
So every certificat signed by its CA with the MD5 hash (or MD2 !!) is suspect.
It should be enough to get rid of the rootCA using MD5, MD2 or worse to secure oneself because the chain of certification will be cut at the root. Any certificate deriving from those will be flagged as unverifiable. Looking at the rootCA certificat details, there is a field telling the hash algorithm used for signing. So it should be easy to recongnize the one using unsecure hash.
Is that assumption valid ?
If MD5 is cracked so that collistions can be constructed then you can take the signature from any certificate issued by a CA using MD5, create the certificate you'd like to have (for example a SubCA-certificate), add an obscure Extension so the MD5 hash becomes equal to the one of the real certificate and add the signature of the real certificate.
So a signature made by using MD5 is worth nothing anymore, which makes non-root-certificates signed by using MD5 worthless. Root certificates are not affected because a self signature is not worth anything anyway. Root certificates gain their value solely from the fact that they are in your trust list.
N.B.: Once you have created a forged SubCA-certificate you can issue arbitrary certificates which are accepted by applications who accept the original CA cert. Of course those generated certificates would use a good hash function, since from the on there's nothing to hide anymore.
Conclusion: If you want to verify a certificate in the light of MD5 weakness you'll have to check the certificate chain for non-root certificates using MD5 for signatures. If you find one, the cert is worthless.
Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christophe Meessen, 01/03/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Jan Pieter Cornet, 01/03/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christophe Meessen, 01/03/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Jan Pieter Cornet, 01/03/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christoph A., 01/04/2009
- Re: [CA cert] [Fwd: [PGPNET] SSL Broken?], John W. Moore III, 01/05/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christophe Meessen, 01/05/2009
- Re: [CA cert] [Fwd: [PGPNET] SSL Broken?], Alain Knaff, 01/05/2009
-
Re: [CA cert] SSL Broken?,
Bernhard Froehlich, 01/05/2009
- Re: [CA cert] SSL Broken?, Alain Knaff, 01/05/2009
- Re: [CA cert] SSL Broken?, Bernhard Froehlich, 01/05/2009
- Re: [CA cert] SSL Broken?, Philipp Guehring, 01/05/2009
- Re: [CA cert] SSL Broken?, Christophe Meessen, 01/05/2009
- Re: [CA cert] [Fwd: [PGPNET] SSL Broken?], Philipp Guehring, 01/05/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christoph A., 01/04/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Jan Pieter Cornet, 01/03/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christophe Meessen, 01/03/2009
- Re: [CA cert] [Fwd: [PGPNET] SSL Broken?], Philipp Guehring, 01/04/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Jan Pieter Cornet, 01/03/2009
Archive powered by MHonArc 2.6.24.