On Fri, Jan 03, 2014 at 10:38:08AM -0800, Ryan Sleevi wrote: > > With a collision it's possible to create a rogue CA. See: > > http://www.win.tue.nl/hashclash/rogue-ca/ > > This is not entirely accurate or true. > > The weaknesses in the hash algorithm - both known and unknown - are what > has motivated root programs to require a minimum set of entropy before > "attacker-controled" data to reduce the probability of second pre-image > attacks. > > The attacks against MD5 worked because the issuing CAs used predictable > serial numbers, which allowed the attackers to predict the certificate > contents before it entered attacker controlled data, and thus allowed them > to successfully exploit second-preimage weaknesses.
Have you read that paper from Microsoft that was posted here 2 weeks ago? They estimate that 2% does not have 20 bits of entropy and 6% have between 20 and 24 bit. That paper also questions that 24 bit is enough. I do not believe that preimage is the only thing we should worry about because SHA-1 isn't known to broken for preimage and as far as I know still has 2^160. I also never had any trust in any auditing on the CAs, and that paper of Microsoft on seems to confirm that. As far as I know the only auditing that really happens is that some accountant goes and checks some papers. Using SHA-2 instead of SHA-1 is something that we can check that they comply with as opposed to relying on some audit. > > I would like to encourage everybody to start using SHA2 in > > certificates as soon as possible, since that's clearly the > > weakest part of the whole chain. > > This is again an overstatement. Don't forget that SHA-1 is used throughout > the SSL/TLS handshake (as is MD5, for that matter). But there it's used as part of an HMAC and only the preimage resistance is important and isn't a problem. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
