Re: [openssl-users] Rejecting SHA-1 certificates

[Niklas Keller]

2017-07-12 8:35 GMT+02:00 Wouter Verhelst :

> On 11-07-17 23:44, Salz, Rich via openssl-users wrote:
> >> It's very well worth the effort, otherwise there's a security issue,
> because certificates can be forged.
> >
> > No they cannot.
> >
> > What *has* been done is a document was created with "weak spots" and
> another document was created that  changed those weak spots, but the digest
> was the same.
>
> Correct me if I'm wrong, but wasn't the MD5 certificate hack presented
> back at 25C3 based on exactly that scenario? They used the serial number
> and timestamp or some other such thing (don't recall the details) as
> weak spots and then sent loads of certificate requests to the CA to
> effecively brute-force it.
>
> (Of course, CAs are now required to randomize their serial number, so
> since that particular attack isn't possible anymore, I agree that for
> the time being it's still not a feasible scenario for SHA1, but hey)
>

Maybe not currently for SHA-1, but maybe for MD5?

Also not sure whether you can use these old certificates with weak serials
and change the date as well there?

Regards, Niklas
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Rejecting SHA-1 certificates

[Niklas Keller]

2017-07-10 19:30 GMT+02:00 Michael Wojcik <michael.woj...@microfocus.com>:

> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Niklas Keller
> > Sent: Monday, July 10, 2017 11:12
> > To: openssl-users@openssl.org
> > Subject: Re: [openssl-users] Rejecting SHA-1 certificates
>
>
> > It's very well worth the effort, otherwise there's a security issue,
> because certificates can be forged.
>
> Care to demonstrate that?
>

I'm not sure how feasible that is for either SHA1 or MD5.


> The SHAttered attack demonstrated an SHA1 collision using 1) an enormous
> amount of resources and 2) a file format with plenty of scope for
> manipulating the preimages. I'm not aware of any public demonstration
> showing anything close to a practical way of forging an X.509 certificate
> with an SHA1-based signature. Certificates have far less scope for
> manipulating the preimage.
>
> It's always been possible to forge certificates. Generally that's been
> done by stealing the signing key from  a poorly-secured CA. The new
> marginal feasibility of producing SHA1 collisions does not significantly
> increase the forgery risk for X.509 certificates at present, since it's
> probably still too difficult - perhaps not even possible for any useful
> forgery (if the forged certificate had to carry a suspect amount of
> unexpected data, for example) - and certainly far too expensive to justify
> the vast majority of potential attacks.
>

Probably true, yes.


> A security vulnerability is meaningless outside the context of a threat
> model. Forging certificates with SHA1-based signatures is a very minor
> branch of the attack tree for nearly all certificate holders. CAs and
> browser vendors are getting rid of SHA1-based signatures now because the
> cost of being proactive is very small, and attacks only get better. That
> doesn't mean immediately screening out all SHA1-based certificates is
> justified under sensible threat models.
>
> What's your threat model, and how does it justify this effort?
>

The same as for browsers I guess. Could you explain why browsers and Java
disable SHA1, but it's not worth for me doing so?

Regards, Niklas
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Rejecting SHA-1 certificates

[Niklas Keller]

>
> > On Jul 10, 2017, at 3:45 AM, Niklas Keller <m...@kelunik.com> wrote:
> >
> >
> > What's the best way / a working way to reject weak signature schemes in
> OpenSSL 1.0.{1,2}?
>
> Most CAs have stopped issuing SHA-1 certificates.  Any old ones will
> expire over the
> next year or two.  While Google has demonstrated a SHA-1 collision, that
> proof of
> concept is far from a practical attack.
>

Actually they should already be expired, all major browsers will reject
them already, even Edge.


> The simplest solution is to let the CAs solve the problem as SHA-1
> certificates fade
> out of the picture.  You can if you wish leave out from the set of trusted
> roots any
> CAs that have not yet stopped issuing SHA-1 certificates.
>

CAs can't solve the problem that we accept certificates with weak
signatures.


> You can of course implement a verify callback that inspects each
> certificate in the
> chain, and triggers an error when its signature is SHA-1 and it is not the
> last one
> in the chain.  This requires keeping some state attached to the X509 store
> context,
> and I don't think is worth the effort.
>

It's very well worth the effort, otherwise there's a security issue,
because certificates can be forged.

Regards, Niklas


> See code involving "TLScontext_index" in:
>
> https://github.com/vdukhovni/postfix/blob/master/postfix/
> src/tls/tls_client.c#L318
> https://github.com/vdukhovni/postfix/blob/master/postfix/
> src/tls/tls_client.c#L942
> https://github.com/vdukhovni/postfix/blob/master/postfix/
> src/tls/tls_verify.c#L163
>
> With such a context, you can keep track of the maximum depth seen by the
> callback,
> and reject SHA-1 at lower depths.  I do not recommend doing this.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Rejecting SHA-1 certificates

[Niklas Keller]

Morning,

I'm currently trying to reject certificate chains which rely on MD5 and
SHA-1 for signatures. I found SSL_get0_verified_chain which could be used
to walk the chain and reject if there's any MD5 / SHA-1 certificate in
there, except for the last one, which is trusted because of the public key
instead of based on the signature, so a weak signature algorithm doesn't
have any impact there.

Unfortunately, SSL_get0_verified_chain is only available in OpenSSL 1.1,
but not in OpenSSL 1.0.1 or 1.0.2, which both have to be supported. With
OpenSSL 1.1, we could also just use "auth_level" and be done.

What's the best way / a working way to reject weak signature schemes in
OpenSSL 1.0.{1,2}?

Regards, Niklas
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users