On Dec 30, 2008, at 4:21 PM, Sidney Markowitz wrote:
Sidney Markowitz wrote, On 31/12/08 10:08 AM:
or that CA root certs that use MD5 for their hash are
still in use and have now been cracked?
I should remember -- morning coffee first, then post.
The CA root certs themselves have not been cracked -- It is the
digital
signatures created by some CAs who still use MD5 to sign the certs
that
they issue that have been hacked: The known weakness in MD5 allows one
to create two certs with the same MD5 hash, one that is legitimate to
get signed by the CA, and another one for rogue use that can be given
the same signature.
Robert Graham writes in Errata Security (http://erratasec.blogspot.com/2008/12/not-all-md5-certs-are-vulnerable.html
) that the attack depends on being able to predict the serial number
field that will be assigned to a legitimate certificate by the CA.
Only a few CA's use predictable "serial numbers" - the field is
actually arbitrary text and need only be certainly unique among all
certificates issued by a given CA.
Of course, we've seen in the past that having too much freedom to
insert "known to be random" (hence uncheckable) stuff into a signed
piece of text can itself be hazardous in other ways.
So: The current attack is only effective against a very small number
of CA's which both use MD5 *and* have predictable sequence numbers.
So the sky isn't falling - though given how hard it is to "decertify"
a CA (given that the "known good" CA's are known to literally billions
of pieces of software, and that hardly anyone checks CRL's - and are
there even CRL's for CA's?) this is certainly not a good situation.
This also doesn't mean that, now that the door has been opened, other
attacks won't follow. In fact, it's hard to imagine that this is the
end of the story....
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [email protected]
