Re: Real World Exploit for Bleichenbachers Attack on SSL from Crypto'06 working
Erik Tews writes: At least 3 major webbrowsers on the marked are shipped by default with CA certificates, which have signed other intermediate CAs which use rsa1024 with exponent 3, in their current version. With this exploit, you can now sign arbitary server certificates for any website of your choice, which are accepted by all 3 webbrowsers without any kind of ssl-warning-message. Is that true, did you try all 3 web browsers to see that they don't give a warning message? It's not enough that they accept a CA with exponent 3, they also have to have the flaw in verification that lets the bogus signature through. If it is true, if three different widely used webbrowsers are all vulnerable to this attack, it suggests a possible problem due to the establishment of a cryptographic monoculture. If it turns out that the same cryptographic library is used in all three of these browsers, and that library has the flaw, then this reliance on a single source for cryptographic technology could be a mistake. Now in practice I don't think that Internet Explorer and Mozilla/Firefox use the same crypto libraries, so either these are not two of the three, or else they have independently made the same error. It would be nice to know which it is. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Real World Exploit for Bleichenbachers Attack on SSL from Crypto'06 working
Am Freitag, den 15.09.2006, 00:40 +0200 schrieb Erik Tews: I have to check some legal aspects before publishing the names of the browser which accepted this certificate and the name of the ca-certificates with exponent 3 I used in some hours, if nobody tells me not to do that. Depending on the advice I get, I will release the sourcecode of the exploit too. OK, so here are the names of the browsers I tried: * Mozilla Firefox Version 1.5.0.6 and all previous versions including all old versions like netscape 4 seem to be affected. They don't display any kind of warning message at all, nor has the user the possibility to see something if he looks at the ssl connection properties. Firefox 1.5.0.7 was released yesterday and contains a fix. Netscape is not longer supported and netscape phoned me and suggested switching to another browser like seamonkey. * Opera 9.01 is affected. Opera is going to release 9.02 very very soon which will contain a bugfix. Opera users are automatically notified once a week when a new version is available. * Konqueror from the kde project uses openssl for ssl-connections. They are affected, but after having patched openssl, konqueror is fixed too. The following certs could be used in the attack: Starfieldtech has issued the following certificate: Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Cla ss 2 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@ valicert.com Subject: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://www.starfieldtech.com/repository, CN=Starfield Secure Certification A uthority/[EMAIL PROTECTED] X509v3 Basic Constraints: CA:TRUE Serial Number: 260 (0x104) RSA Public Key: (1024 bit) Exponent: 3 (0x3) This can be used to create an CA certificate which seems to be signed by Starfieldtech There is another certificate by default in a lot of browsers: Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority RSA Public Key: (1024 bit) Exponent: 3 (0x3) X509v3 Basic Constraints: CA:TRUE Serial Number: 927650371 (0x374ad243) This one can be used too. Depending on the browser you use, there are some other certificates. Here is a list of all Subject DN of all CA certs we have found so far, which seems to be affected: * C=US, O=Digital Signature Trust Co., OU=DSTCA E1 * C=US, O=Digital Signature Trust Co., OU=DSTCA E2 * C=US, O=Entrust.net, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Client Certification Authority * C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority * C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root * C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root * C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority * C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority I decided to keep the actual implementation of the exploit secret for the moment. We put up a little webpage summarizing some postings related to the attack. This is written primary for end users who want to secure their browsers, but contains links to some intresting mailing list posts too. http://www.cdc.informatik.tu-darmstadt.de/securebrowser/ signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Real World Exploit for Bleichenbachers Attack on SSL from Crypto'06 working
Hi I had an idea very similar to the one Peter Gutmann had this morning. I managed to write a real world exploit which takes as input: * an CA-Certificate using 1024 Bit RSA and Exponent 3 (ca-in) * a Public Key, using an algorithm and size of your choice (key-in) and generats an CA-Certificate signed by ca-in, using public key key-in. At least 3 major webbrowsers on the marked are shipped by default with CA certificates, which have signed other intermediate CAs which use rsa1024 with exponent 3, in their current version. With this exploit, you can now sign arbitary server certificates for any website of your choice, which are accepted by all 3 webbrowsers without any kind of ssl-warning-message. I used the following method: I first generated a certificate, with BasicConstraints set to True, Public Key set to one of my keys, and Issuer to the DN of a CA using 1024 Bit RSA with Exponent 3. I used usual values for all the other fields. When I signed a Certificate I shiftet all my data to the left. I had 46 bytes of fixed valued (this can perhaps be reduced to 45 bytes, I have not checked yet, but even with 46, this attack works). They had the form 00 01 FF FF FF FF FF FF FF FF ASN1DataWithHash. This gives me 82 bytes I can fill with arbitary values (at least, if the implementations skipps some part of the asn1-data, I can choose some bytes there too). If you now set all the bytes right of your ASN1DataWithHash to 00, and interpret that as a number n, and compute: y = (ceil(cubeRoot(n)))^3 Where ceil means rounding to the next bigger natural number and cubeRoot computes the third Root in R. y will be a perfect cube and have the form: 00 01 FF FF FF FF FF FF FF FF ASN1DataWithHash' Garbage and ASN1DataWithHash' looks quite similar to your original ASN1DataWithHash, with perhaps 2-3 rightmost bytes changed. These bytes are part of the certificate hash value. This signature is useless, because every certificate has a fixed hash value. But you don't need to sign a fixed certificate. So i started adding some seconds to the notAfter value of the certificate and computed the hash again. I brute forced until I had a certificate where the computation of y did not alter any bytes of the ASN1DataWithHash. I had to try 275992 different values which took 2-3 minutes on my 1.7 GHz Pentium using an unoptimized java-implementation. I used this cert and my key to sign an end-entity certificate which I used to set up an webserver. I have to check some legal aspects before publishing the names of the browser which accepted this certificate and the name of the ca-certificates with exponent 3 I used in some hours, if nobody tells me not to do that. Depending on the advice I get, I will release the sourcecode of the exploit too. Thanks go to Alexander May and Ralf-Philipp Weinmann who helped me. signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
