Re: Stop using SHA1 in certificates
* Kurt Roeckx: But it's unclear if this is really a policy or just what some people think should happen. If we do this, it should not just apply to end-entity certificates, but also to intermediate certificates (but not the self-signature of root certificates). Obviously, that's rather unlikely to happen because of the number of long-term intermediate certificates which cannot be re-issued under current policies. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Stop using SHA1 in certificates
Hi, Microsoft has proposed to stop issueing new certificates using SHA1 by 2016 in certificates. (http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx). Mozilla also has a bug that even suggest to stop accepting some new certificates in 3 months and stop accepting any in 2017. https://bugzilla.mozilla.org/show_bug.cgi?id=942515 But it's unclear if this is really a policy or just what some people think should happen. This seems to also recently have been discussed in the CA/Browser forum, but I have a feeling not everybody sees the need for this. https://cabforum.org/2013/12/19/2013-12-19-minutes/ I want to point out the that SHA1 is broken for what it is used in certificates. SHA1 should have a collision resistance of about 2^80 but the best known attack reduces this to about 2^60. In 2012 it costs about 3M USD to break SHA-1, in 2015 this will only be about 700K USD. See https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html With a collision it's possible to create a rogue CA. See: http://www.win.tue.nl/hashclash/rogue-ca/ This is only based on what is the best know attack currently publicly known. There might be other attacks that we don't know about yet even further reducing the cost, specialised hardware and so on. This is just waiting to either happen or until someone finds out that it did happen. I would like to encourage everybody to start using SHA2 in certificates as soon as possible, since that's clearly the weakest part of the whole chain. This is more important that stopping to use 1024 RSA keys since they still have a complexity of 2^80. But you really should also stop using that. Can someone please try to convince the CAB forum about the need for this? Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Stop using SHA1 in certificates
The hashclash attack requires the CA to do more than just use SHA-1. They have to use a predictable serial number. That is not an argument for not withdrawing SHA-1 toute haste. It is however a reason for folk not to do the usual headless chicken thing. Striking out SHA-1 effectively means the end of RSA1024 because every browser that can do SHA2 can almost certainly do RSA2048. There will probably be some niche cases that call for continuing to issue SHA-1 certs but only the genuine niche applications will want them at all once the browsers start rejecting them. On Fri, Jan 3, 2014 at 1:15 PM, Kurt Roeckx k...@roeckx.be wrote: Hi, Microsoft has proposed to stop issueing new certificates using SHA1 by 2016 in certificates. ( http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx ). Mozilla also has a bug that even suggest to stop accepting some new certificates in 3 months and stop accepting any in 2017. https://bugzilla.mozilla.org/show_bug.cgi?id=942515 But it's unclear if this is really a policy or just what some people think should happen. This seems to also recently have been discussed in the CA/Browser forum, but I have a feeling not everybody sees the need for this. https://cabforum.org/2013/12/19/2013-12-19-minutes/ I want to point out the that SHA1 is broken for what it is used in certificates. SHA1 should have a collision resistance of about 2^80 but the best known attack reduces this to about 2^60. In 2012 it costs about 3M USD to break SHA-1, in 2015 this will only be about 700K USD. See https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html With a collision it's possible to create a rogue CA. See: http://www.win.tue.nl/hashclash/rogue-ca/ This is only based on what is the best know attack currently publicly known. There might be other attacks that we don't know about yet even further reducing the cost, specialised hardware and so on. This is just waiting to either happen or until someone finds out that it did happen. I would like to encourage everybody to start using SHA2 in certificates as soon as possible, since that's clearly the weakest part of the whole chain. This is more important that stopping to use 1024 RSA keys since they still have a complexity of 2^80. But you really should also stop using that. Can someone please try to convince the CAB forum about the need for this? Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy -- Website: http://hallambaker.com/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Stop using SHA1 in certificates
On Fri, Jan 03, 2014 at 10:38:08AM -0800, Ryan Sleevi wrote: With a collision it's possible to create a rogue CA. See: http://www.win.tue.nl/hashclash/rogue-ca/ This is not entirely accurate or true. The weaknesses in the hash algorithm - both known and unknown - are what has motivated root programs to require a minimum set of entropy before attacker-controled data to reduce the probability of second pre-image attacks. The attacks against MD5 worked because the issuing CAs used predictable serial numbers, which allowed the attackers to predict the certificate contents before it entered attacker controlled data, and thus allowed them to successfully exploit second-preimage weaknesses. Have you read that paper from Microsoft that was posted here 2 weeks ago? They estimate that 2% does not have 20 bits of entropy and 6% have between 20 and 24 bit. That paper also questions that 24 bit is enough. I do not believe that preimage is the only thing we should worry about because SHA-1 isn't known to broken for preimage and as far as I know still has 2^160. I also never had any trust in any auditing on the CAs, and that paper of Microsoft on seems to confirm that. As far as I know the only auditing that really happens is that some accountant goes and checks some papers. Using SHA-2 instead of SHA-1 is something that we can check that they comply with as opposed to relying on some audit. I would like to encourage everybody to start using SHA2 in certificates as soon as possible, since that's clearly the weakest part of the whole chain. This is again an overstatement. Don't forget that SHA-1 is used throughout the SSL/TLS handshake (as is MD5, for that matter). But there it's used as part of an HMAC and only the preimage resistance is important and isn't a problem. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy