Security by asking the drunk whether he's drunk
Jerry Leichter
leichter at lrw.com
Tue Dec 30 22:19:39 EST 2008
On Dec 30, 2008, at 4:21 PM, Sidney Markowitz wrote:
> Sidney Markowitz wrote, On 31/12/08 10:08 AM:
>> or that CA root certs that use MD5 for their hash are
>> still in use and have now been cracked?
>
> I should remember -- morning coffee first, then post.
>
> The CA root certs themselves have not been cracked -- It is the
> digital
> signatures created by some CAs who still use MD5 to sign the certs
> that
> they issue that have been hacked: The known weakness in MD5 allows one
> to create two certs with the same MD5 hash, one that is legitimate to
> get signed by the CA, and another one for rogue use that can be given
> the same signature.
Robert Graham writes in Errata Security (http://erratasec.blogspot.com/2008/12/not-all-md5-certs-are-vulnerable.html
) that the attack depends on being able to predict the serial number
field that will be assigned to a legitimate certificate by the CA.
Only a few CA's use predictable "serial numbers" - the field is
actually arbitrary text and need only be certainly unique among all
certificates issued by a given CA.
Of course, we've seen in the past that having too much freedom to
insert "known to be random" (hence uncheckable) stuff into a signed
piece of text can itself be hazardous in other ways.
So: The current attack is only effective against a very small number
of CA's which both use MD5 *and* have predictable sequence numbers.
So the sky isn't falling - though given how hard it is to "decertify"
a CA (given that the "known good" CA's are known to literally billions
of pieces of software, and that hardly anyone checks CRL's - and are
there even CRL's for CA's?) this is certainly not a good situation.
This also doesn't mean that, now that the door has been opened, other
attacks won't follow. In fact, it's hard to imagine that this is the
end of the story....
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list