Le vendredi 3 janvier 2014 21:00:23 UTC+1, Kurt Roeckx a écrit : > On Fri, Jan 03, 2014 at 10:38:08AM -0800, Ryan Sleevi wrote: > > > With a collision it's possible to create a rogue CA. See: > > > http://www.win.tue.nl/hashclash/rogue-ca/ > > > > This is not entirely accurate or true. > > > > The weaknesses in the hash algorithm - both known and unknown - are what > > has motivated root programs to require a minimum set of entropy before > > "attacker-controled" data to reduce the probability of second pre-image > > attacks. > > > > The attacks against MD5 worked because the issuing CAs used predictable > > serial numbers, which allowed the attackers to predict the certificate > > contents before it entered attacker controlled data, and thus allowed them > > to successfully exploit second-preimage weaknesses.
In fact, it's choosen-prefix collision, and not second-preimage. Adding randomness early in this prefix (serial number) is aimed at making the "choosen" part of the attack less effective. [...] > I also never had any trust in any auditing on the CAs, and that > paper of Microsoft on seems to confirm that. As far as I know the > only auditing that really happens is that some accountant goes and > checks some papers. > > Using SHA-2 instead of SHA-1 is something that we can check that > they comply with as opposed to relying on some audit. Irrelevant. The auditor isn't only supposed to check that the certificates are signed with SHA2 instead of SHA1. But as an outside observer, you are free to spot any difference between what the auditor stated as how things work internally and what the results are, and report those observations here. If you can show evidence of discrepancies between theory (audit) and reality (certificates, systems, whatever), it means either the auditor or the CA didn't do its job correctly. (I'm NOT saying that audit results are theoretic, but from an outside point of view, they can be considered so) > > This is again an overstatement. Don't forget that SHA-1 is used throughout > > the SSL/TLS handshake (as is MD5, for that matter). > > But there it's used as part of an HMAC and only the preimage > resistance is important and isn't a problem. No, it's used in signature, see RFC2246 section 7.4.3 about server key exchange. MD5||SHA1 is what is really signed with the server/client RSA key. This changed in TLS1.2 only. IIRC, there has been a publication stating that this concatenation is as secure as the weakest point, but I can't find a link to the paper. Anyway, there's something to break here, that's fun. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
