Subject: A better approach to security
List archive
- From: Alain Knaff <alain AT knaff.lu>
- To: A better approach to security <cacert AT lists.cacert.org>
- Subject: Re: [CA cert] SSL Broken?
- Date: Mon, 05 Jan 2009 10:21:28 +0100
Bernhard Froehlich wrote:
> This is how I see it:
>
> If MD5 is cracked so that collistions can be constructed then you can
> take the signature from any certificate issued by a CA using MD5, create
^^^
Not _any_ certificate. It must be "specifically crafted". Current
attacks against MD5 don't allow you to find a collision with a given
hash, but only allows you to produce two sets of data that collide (the
attacker choses two "prefixes", and the algorithm gives them appropriate
padding so that they hash to the same MD5).
So they made one CSR which looked normal (padding hidden in the modulus,
which is supposed to be "random"), i.e. a non-CA CSR for a domain that
they are entitled to. And another CSR which was a sub-CA, and had the
padding hidden in a special non-standard field (couldn't use the modulus
here, because the "this is a CA" flag comes _after_ the modulus in the
data stream).
Then they had RapidSSL sign their "normal" CSR, and applied the
signature to the companion.
So, it's not quite as bad as you think. Existing MD5 certificates can't
be used to make fakes. In order to make a fake, you must con a CA into
signing a CSR that you provide.
> the certificate you'd like to have (for example a SubCA-certificate),
> add an obscure Extension so the MD5 hash becomes equal to the one of the
> real certificate and add the signature of the real certificate.
The extension was only used on the sub-CA certificate due to location of
"this is a CA" flag. The normal certificate had no such extension, in
order not to arouse suspicion.
> So a signature made by using MD5 is worth nothing anymore, which makes
> non-root-certificates signed by using MD5 worthless. Root certificates
> are not affected because a self signature is not worth anything anyway.
> Root certificates gain their value solely from the fact that they are in
> your trust list.
Exactly.
> N.B.: Once you have created a forged SubCA-certificate you can issue
> arbitrary certificates which are accepted by applications who accept the
> original CA cert. Of course those generated certificates would use a
> good hash function, since from the on there's nothing to hide anymore.
>
> Conclusion: If you want to verify a certificate in the light of MD5
> weakness you'll have to check the certificate chain for non-root
> certificates using MD5 for signatures. If you find one, the cert is
> worthless.
Exactly.
>
> Ted
> ;)
>
Alain
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christophe Meessen, 01/03/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Jan Pieter Cornet, 01/03/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christophe Meessen, 01/03/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Jan Pieter Cornet, 01/03/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christoph A., 01/04/2009
- Re: [CA cert] [Fwd: [PGPNET] SSL Broken?], John W. Moore III, 01/05/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christophe Meessen, 01/05/2009
- Re: [CA cert] [Fwd: [PGPNET] SSL Broken?], Alain Knaff, 01/05/2009
-
Re: [CA cert] SSL Broken?,
Bernhard Froehlich, 01/05/2009
- Re: [CA cert] SSL Broken?, Alain Knaff, 01/05/2009
- Re: [CA cert] SSL Broken?, Bernhard Froehlich, 01/05/2009
- Re: [CA cert] SSL Broken?, Philipp Guehring, 01/05/2009
- Re: [CA cert] SSL Broken?, Christophe Meessen, 01/05/2009
- Re: [CA cert] [Fwd: [PGPNET] SSL Broken?], Philipp Guehring, 01/05/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christoph A., 01/04/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Jan Pieter Cornet, 01/03/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Christophe Meessen, 01/03/2009
- Re: [CA cert] [Fwd: [PGPNET] SSL Broken?], Philipp Guehring, 01/04/2009
-
Re: [CA cert] [Fwd: [PGPNET] SSL Broken?],
Jan Pieter Cornet, 01/03/2009
Archive powered by MHonArc 2.6.24.