Security by asking the drunk whether he's drunk

Jerry Leichter leichter at lrw.com
Tue Dec 30 22:19:39 EST 2008 

On Dec 30, 2008, at 4:21 PM, Sidney Markowitz wrote:

> Sidney Markowitz wrote, On 31/12/08 10:08 AM:
>> or that CA root certs that use MD5 for their hash are
>> still in use and have now been cracked?
>
> I should remember -- morning coffee first, then post.
>
> The CA root certs themselves have not been cracked -- It is the  
> digital
> signatures created by some CAs who still use MD5 to sign the certs  
> that
> they issue that have been hacked: The known weakness in MD5 allows one
> to create two certs with the same MD5 hash, one that is legitimate to
> get signed by the CA, and another one for rogue use that can be given
> the same signature.
Robert Graham writes in Errata Security (http://erratasec.blogspot.com/2008/12/not-all-md5-certs-are-vulnerable.html 
) that the attack depends on being able to predict the serial number  
field that will be assigned to a legitimate certificate by the CA.   
Only a few CA's use predictable "serial numbers" - the field is  
actually arbitrary text and need only be certainly unique among all  
certificates issued by a given CA.

Of course, we've seen in the past that having too much freedom to  
insert "known to be random" (hence uncheckable) stuff into a signed  
piece of text can itself be hazardous in other ways.

So:  The current attack is only effective against a very small number  
of CA's which both use MD5 *and* have predictable sequence numbers.   
So the sky isn't falling - though given how hard it is to "decertify"  
a CA (given that the "known good" CA's are known to literally billions  
of pieces of software, and that hardly anyone checks CRL's - and are  
there even CRL's for CA's?) this is certainly not a good situation.

This also doesn't mean that, now that the door has been opened, other  
attacks won't follow.  In fact, it's hard to imagine that this is the  
end of the story....
                                                         -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list