Major Break in MD5 Signed X.509 Certificates

Jacob Appelbaum and Alexander Sotirov just gave a presentation at the Chaos Communications Congress in Germany. They have implemented a practical MD5 collision attack on x.509 certificates. All major browsers accept MD5 signatures on certs even though it has been shown to have the collision problem for almost 2 years now. If you can generate your own X.509 certificates you can perform perfect MITM attacks on SSL. They went one better and generated an intermediate certificate authority certificate so they could sign their own certificates. This way they only need to do the attack once and can create as many valid certificates as they want.

6 Certificate Authorities are still using MD5 signing: RapidSSL, FreeSSL, TrustCenter, RSA Data Security, Thawte, verisign.co.jp. They are not going to be happy about this new attack. The researchers decided to target RapidSSL because they were able to better predict some of the certificate fields (serial number and time) because of the way RapidSSL issues the certificates. They were able to perform the computations required with 200 Playstation 3s over 1 to 2 days. Its estimated to be the same as 8000 Intel cores or $20,000 on Amazon EC2.

They ask the question, “Can we trust anything signed with a cert issued by a CA that signed with MD5 signatures in the last couple of years?” The affected CAs have been notified and are going to switch to SHA-1. The researchers also ask the question, “Why did it take an implemented attack to get the CAs to switch to SHA-1?” After all the attack has been known for almost 2 years now. We used the slogan, “Making the theoretical practical since 1992” at L0pht Heavy Industries to highlight the need to implement attacks to get some organizations to improve their security. It is a bit sad to see that in 2008, demonstration is still necessary.

The researchers were worried about repercussions by the CAs that might want to gag them. They had Mozilla and Microsoft sign NDAs that they wouldn’t tell the CAs about the problem until they could give their presentation. They think researchers should consider NDAs with vendors for protection.

They purposely dated the cert to expire on 9/1/2004 so you need to back date your machine for it to be validated properly.

Full details: http://www.phreedom.org/research/rogue-ca/

Veracode Security Solutions
Veracode Security Threat Guides

Chris Eng | December 30, 2008 11:20 am

I ranted about this on Twitter a bit, but I’ll write more here since I have more than 140 characters to work with.

It’s frustrating that people still haven’t made the switch from MD5 to stronger hashes, even though the first cracks in MD5 came nearly 5 years ago, in 2004, with the Wang/Yu attack. That should have been enough warning. The gradual nature of cryptographic attacks is like a gift to enterprises — you get several years head start to fix all your bad code before the full-blown attack is discovered.

I remember going through and revising all of our @stake deliverable templates at the time, removing any mention of MD5 from our best practices and recommendations boilerplate text. In fact, I remember discussing with a customer that an attack had been discovered against MD5 earlier that week, and while there wasn’t immediate practical risk, they needed to start thinking about how to eradicate MD5 from their applications going forward.

For CAs not to have acted on this earlier is a travesty. It’s one thing to be using MD5 in your custom web application, where you only hurt yourself if it’s compromised. It’s another thing entirely for an organization whose business is TRUST not to be taking all possible measures to be trustworthy.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

*

RSS feed for comments on this post