[cap-talk] FW: x.509 -- MD5 considered harmful today

[Bill Frantz]

toby.murray at comlab.ox.ac.uk (Toby Murray) on Wednesday, December 31, 2008 wrote:

>On Wed, 2008-12-31 at 02:16 +0000, Karp, Alan H wrote:
>> Something else to worry about.
>> 
>> > Subject: x.509 -- MD5 considered harmful today
>> >
>> > Although nobody should be using MD5 to sign anything of value anymore,
>> > this work on attacking chained certs is certainly interesting.
>> >
>> > http://www.win.tue.nl/hashclash/rogue-ca/
>
>
>The real upshot of this is that phasing out crypto algorithms is hard;
>but crypto algorithms are broken overnight, often without warning. This
>creates an obvious dilemma. 

Yes, but the warnings about MD5 have been clear for a number of years. RSA
Inc. says it has been planning to stop using MD5 by the end of January
2009, and it is RapidSSL, a CA run by RSA Inc., which was used to
demonstrate the attack.

In addition, this specific attack requires being able to predict the exact
time the CA issues a certificate, and the serial number it will use. Using
random serial numbers gives a high degree of protection against this
specific attack.


>Another point to take home is that the entire HTTPS / PKI infrastructure
>is only as strong as the weakest Certificate Authority. Coupled with the
>inability to easily phase-out old algorithms, this indicates that there
>will always exist a weakest link in this chain. 

Indeed, any chain has a weakest link. The question is, "Is that link strong
enough to hold the load?"

One interesting tidbit is that the new CA certificates used for the new
"high security" site certificates are not loaded into Mac Firefox or
Safari. This situation results in the catch 22 that sites using these new
certificates cause scary dialogs to pop up.


>The only real assumption to make here is, given how easily (in relative
>terms) they pulled this off, that someone else with bigger pockets and a
>stronger incentive to do so must have already done it.

In this particular case, it is not clear that someone else must have
already done it. This attack is making use of techniques for finding MD5
collisions which have not yet been published. Unless other attackers have
independently discovered these techniques, their finding of the collisions
would be much more computationally expensive.

Indeed, it may well be that these techniques, or other equally effective
ones, were independently discovered by mathematically sophisticated
attackers who do not publish their results, but the need for independent
discovery reduces the number of entities who could perform the attack.



In addition, there are some other new techniques of interest to improve the
ability to validate public keys. This mail to the Cryptograph list
references the Perspectives project <http://www.cs.cmu.edu/~perspectives/>
at CMU:

pgut001 at cs.auckland.ac.nz (Peter Gutmann) on Monday, December 29, 2008 wrote:

David Molnar <dmolnar at eecs.berkeley.edu> writes:

>Service from a group at CMU that uses semi-trusted "notary" servers to
>periodically probe a web site to see which public key it uses. The notaries
>provide the list of keys used to you, so you can attempt to detect things
>like a site that has a different key for you than previously shown to all of
>the notaries. The idea is that to fool the system, the adversary has to
>compromise all links between the target site and the notaries all the time.

I think this is missing the real contribution of Perspectives, which (like
almost any security paper) has to include a certain quota of crypto rube-
golbergism in order to satisfy conference reviewers.  The real value isn't the
multi-path verification and crypto signing facilities and whatnot but simply
the fact that you now have something to deal with leap-of-faith
authentication, whether it's for self-generated SSH or SSL keys or for rent-a-
CA certificates.  Currently none of these provide any real assurance since a
phisher can create one on the fly as and when required.  What Perspectives
does is guarantee (or at least provide some level of confidence) that a given
key has been in use for a set amount of time rather than being a here-this-
morning, gone-in-the-afternoon affair like most phishing sites are.  In other
words a phisher would have to maintain their site for a week, a month, a year,
of continuous operation, not just set it up an hour after the phishing email
goes out and take it down again a few hours later.

For this function just a single source is sufficient, thus my suggestion of
Google incorporating it into their existing web crawling.  You can add the
crypto rube goldberg extras as required, but a basic "this site has been in
operation at the same location with the same key for the past eight months" is
a powerful bar to standard phishing approaches, it's exactly what you get in
the bricks-and-mortar world, "Serving the industry since 1962" goes a lot
further than "Serving the industry since just before lunchtime".

Peter.

---------------------------------------------------------------------

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"After all, if the conventional wisdom was working, the
408-356-8506       | rate of systems being compromised would be going down,
www.periwinkle.com | wouldn't it?" -- Marcus Ranum