A better approach to security

[Bernhard Froehlich <ted AT convey.de>]

Alain Knaff schrieb:
> Bernhard Froehlich wrote:
>   
> > This is how I see it:
> >
> > If MD5 is cracked so that collistions can be constructed then you can
> > take the signature from any certificate issued by a CA using MD5, create
> >     
>                           ^^^
> Not _any_ certificate. It must be "specifically crafted". Current
> attacks against MD5 don't allow you to find a collision with a given
> hash, but only allows you to produce two sets of data that collide (the
> attacker choses two "prefixes", and the algorithm gives them appropriate
> padding so that they hash to the same MD5).
>
> So they made one CSR which looked normal (padding hidden in the modulus,
> which is supposed to be "random"), i.e. a non-CA CSR for a domain that
> they are entitled to. And another CSR which was a sub-CA, and had the
> padding hidden in a special non-standard field (couldn't use the modulus
> here, because the "this is a CA" flag comes _after_ the modulus in the
> data stream).
>
> Then they had RapidSSL sign their "normal" CSR, and applied the
> signature to the companion.
>
> So, it's not quite as bad as you think. Existing MD5 certificates can't
> be used to make fakes. In order to make a fake, you must con a CA into
> signing a CSR that you provide.
>
>   
> > the certificate you'd like to have (for example a SubCA-certificate),
> > add an obscure Extension so the MD5 hash becomes equal to the one of the
> > real certificate and add the signature of the real certificate.
> >     
>
> The extension was only used on the sub-CA certificate due to location of
> "this is a CA" flag. The normal certificate had no such extension, in
> order not to arouse suspicion.
>   
[...]

Thanks for setting this clear, I did not find this level of detail in my 
(superficial) search today.

Still we seem to agree that though the attack is harder, the conclusions 
do not change.


Philipp Guehring schrieb:
> [...]
> > create the certificate you'd like to have (for example a
> > SubCA-certificate), add an obscure Extension so the MD5 hash becomes
> > equal to the one of the real certificate and add the signature of the
> > real certificate.
> >     
> Not with existing certificates, only with new certificates.
>   
> > So a signature made by using MD5 is worth nothing anymore, which makes
> > non-root-certificates signed by using MD5 worthless.
> >     
> No. It only makes new MD5 signatures dangerous, old MD5 signatures are
> still safe at the moment. (Which possibly changes within the next 5 years)
>   

And how can I verify that a signature is "new" if I haven't seen it 
before? If it is possible to add the SubCA-Flag to a certificate I'd 
assume it would not be much harder to also change the ValidFrom date to 
a few years in the past...

> [...]
> No. It might be worthless, it might be worth something. The problem is
> that by only looking at the certificates, you can't know whether they
> are worthless or not. You would have to ask the CA, whether they
> actually issued that certificate, or not.
>   

That's my definition of a worthless certificate: it may be OK, but it 
may be not. Just like (Non-SSL-)http gives you the correct result in 
*almost* any case.
If I have to ask the CA for every cert if the whole content of the cert 
is correct (not only if it is revoked or so) what is the use of the 
certificate?

Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature