Security by asking the drunk whether he's drunk

Paul Hoffman paul.hoffman at vpnc.org
Thu Jan 1 16:37:56 EST 2009


At 10:19 PM -0500 12/30/08, Jerry Leichter wrote:
>Robert Graham writes in Errata Security (http://erratasec.blogspot.com/2008/12/not-all-md5-certs-are-vulnerable.html) that the attack depends on being able to predict the serial number field that will be assigned to a legitimate certificate by the CA.  

That part is true.

>Only a few CA's use predictable "serial numbers"

That part, I think, is wrong. I looked into this a bit earlier this month and found that most of the ones I looked at are still using sequential numbers.

>- the field is actually arbitrary text

If by "arbitrary text" you mean "a non-negative integer".

>and need only be certainly unique among all certificates issued by a given CA.

True as well.

>So:  The current attack is only effective against a very small number of CA's which both use MD5 *and* have predictable sequence numbers.  

The attack is on end users who trust a root store that has a trust anchor from *any single* CA that uses MD5 and has predictable sequence numbers. The attack lets the attacker become a subordinate CA for that CA. At that point, the attacker can issue their own certs for any purpose.

>So the sky isn't falling

It never does. That's why it is the sky.

>- though given how hard it is to "decertify" a CA (given that the "known good" CA's are known to literally billions of pieces of software, and that hardly anyone checks CRL's - and are there even CRL's for CA's?) this is certainly not a good situation.

There are not CRLs for CAs. That's why is it is a root store.

Oh, and how do you create a definitive list of CAs that use MD5 in their signatures?

>This also doesn't mean that, now that the door has been opened, other attacks won't follow.  In fact, it's hard to imagine that this is the end of the story....

Quite right.

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list