The attack relies on creating two cert requests - one for a legitimate server authN cert, and one for an intermediate CA. You get the CA to sign the AuthN cert (e.g. for a website), but since the two cert requests that we have specially crafted end up with the same MD5 verification hash, we can then use the intermediate CA cert to start signing our own, illegitimate, certs.
Finding MD5 collisions for existing certs would probably not be feasible yet. This attack relies, at the moment (from my understanding) on generating the two cert requests concurrently - the second one (for the CA) using padding data to generate the collision. It's easier (apparently) to generate the collision if you are creating both at the same time. > But as long as browsers still accept the older certificates, they'd > still be vulnerable, right? It doesn't matter what the rogue cert is signed with (could be SHA1). The issue is CAs using MD5 to sign certificates (thus allowing an attacker to come up with their own intermediate CA). The rogue intermediate CA could sign certs using SHA1. But "yes" - if all root CAs that were trusted were using SHA1 only and/or refusing to sign intermediate CAs with the same key that they use for end point verification, we wouldn't have this current problem. Cheers Ken -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Thursday, 1 January 2009 8:06 AM To: NT System Admin Issues Subject: Re: Hackers create rogue CA certificate using MD5 collisions On Wed, Dec 31, 2008 at 11:13 AM, David Lum <[email protected]> wrote: > Microsoft is not aware of specific attacks against MD5, so previously > issued certificates that were signed using MD5 are not affected and do not > need to be revoked. This issue only affects certificates being signed using > MD5 after the publication of the attack method. I thought the idea was that an attacker would forge a certificate, with info matching an existing certificate, but using a private key of their own, and then set their fleet of PlayStation 3's to work to come up with an MD5 collision, so they could use the signature from a real certificate to sign their forgery. Or something like that. So not only does this affect already-issued certificates, it depends on them. Or am I misunderstanding? > Most public Certificate Authority roots no longer use MD5 to sign > certificates, but have upgraded to the more secure SHA-1 algorithm. But as long as browsers still accept the older certificates, they'd still be vulnerable, right? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
