Personally, I cannot see that there is an imminent danger. The attack
requires substantial resource, unpublished techniques, dramatic timing
attempts and retrys and no doubt other caveats ... and will be stopped
whenever MD5 is dropped, which is apparantly very soon or already.
See the report of Hal Finney below (one of the half dozen most reliable
people in security crypto work).
(It would seem that the maximum Mozilla needs to do is simply stop
accepting MD5. E.g., like Verisign, advance plans to drop it end Jan
forward to end today.)
Although the attack is widely puffed up as the end of the world as we
know it, it looks quite narrow and harmless, as most of these are. Or?
iang
On 30/12/08 20:51, Hal Finney wrote:
Re: http://www.win.tue.nl/hashclash/rogue-ca/
Key facts:
- 6 CAs were found still using MD5 in 2008: RapidSSL, FreeSSL, TC
TrustCenter AG, RSA Data Security, Thawte, verisign.co.jp. "Out of the
30,000 certificates we collected, about 9,000 were signed using MD5,
and 97% of those were issued by RapidSSL." RapidSSL was used for the
attack.
- The attack relies on cryptographic advances in the state of the art for
finding MD5 collisions from inputs with different prefixes. These advances
are not yet being published but will presumably appear in 2009.
- The collision was found using Arjen Lenstra's PlayStation Lab and used
200 PS3s with collectively 30 GB of memory. The attack is in two parts,
a new preliminary "birthdaying" step which is highly parallelizable and
required 18 hours on the PS3s, and a second stage which constructs the
actual collision using 3 MD5 blocks and runs on a single quad core PC,
taking 3 to 10 hours.
- The attack depends on guessing precisely the issuing time and serial
number of the "good" certificate, so that a colliding "rogue"
certificate can be constructed in advance. The time was managed
by noting that the cert issuing time was reliably 6 seconds after
the request was sent. The serial number was managed because RapidSSL
uses serially incrementing serial numbers. They guessed what serial
number would be in use 3 days hence, and bought enough dummy certs
just before the real one that hopefully the guessed serial number would
be hit.
- The attacks were mounted on the weekend, when cert issuance rates are
lower. It took 4 weekends before all the timing and guessing worked right.
The cert was issued November 3, 2008, and the total cert-purchase cost was
$657.
- The rogue cert, which has the basicConstraints CA field set to TRUE, was
intentionally back-dated to 2004 so even if the private key were stolen,
it could not be misused.
My take on this is that because the method required advances in
cryptography and sophisticated hardware, it is unlikely that it could
be exploited by attackers before the publication of the method, or
the publication of equivalent improvements by other cryptographers. If
these CAs stop issuing MD5 certs before this time, we will be OK. Once
a CA stops issuing MD5 certs, it cannot be used for the attack. Its old
MD5 certs are safe and there is no danger of future successful attacks
along these lines. As the paper notes, changing to using random serial
numbers may be an easier short-term fix.
Therefore the highest priority should be for the six bad CAs to change
their procedures, at least start using random serial numbers and move
rapidly to SHA1. As long as this happens before Eurocrypt or whenever
the results end up being published, the danger will have been averted.
This, I think, is the main message that should be communicated from this
important result.
Hal Finney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto