[cap-talk] FW: x.509 -- MD5 considered harmful today

David Wagner daw at cs.berkeley.edu
Thu Jan 1 03:16:24 CST 2009 

Toby Murray writes:
>The real upshot of this is that phasing out crypto algorithms is hard;
>but crypto algorithms are broken overnight, often without warning. This
>creates an obvious dilemma. 

Not really.  In this case cryptographers have been urging folks to migrate
away from MD5 for four years.  The responsible CAs did so.  Then there was
RapidSSL (Verisign), which sat on its butt for four years and did nothing.
Arjen Lenstra and his collaborators in particular, and other researchers,
have been warning about the dangers of relying upon MD5 for the past
several years, finding repeated improvements upon the basic attack and
increasingly serious implications of the known attacks on MD5.  But so
far only cryptographers seemed to be paying attention.

As far as I can tell it should be pretty easy for CAs to migrate away
from MD5.  The problem is not that it's hard; rather, it looks to me
like the problem is that RapidSSL/Verisign was negligent and careless.
It's also interesting to ask why the audit process established for CAs
did not detect or recognize the risks associated with the use of MD5
for this purpose.

>Another point to take home is that the entire HTTPS / PKI infrastructure
>is only as strong as the weakest Certificate Authority. Coupled with the
>inability to easily phase-out old algorithms, this indicates that there
>will always exist a weakest link in this chain. 

Yes, that's right.  Everyone who has ever pulled up the list of all
"trusted" CAs listed in your browser, put your hand up.  Now, if you
had heard of all of those CAs and really do trust them, keep your
hand up; otherwise, put it down.  I don't expect there to be many
people with their hands left raised after such a though experiment.

>The only real assumption to make here is, given how easily (in relative
>terms) they pulled this off, that someone else with bigger pockets and a
>stronger incentive to do so must have already done it.

I doubt it, at least, I doubt that this attack has been used in the
wild before on a large scale.  I suspect we might know, if it had been
widely used.  In addition, the attack required some technical
improvements to the previously best-known attacks on MD5, and some
computation, so this was not something that just anyone could do --
there are easier attacks.

More information about the cap-talk mailing list