Nmap Development mailing list archives

On the topic of SSL and MD5 (was Re: [NSE])

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Mon, 12 Jan 2009 20:28:26 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 12 Jan 2009 10:46:39 -0800
bensonk () acm wwu edu wrote:

...snip...

There's also a link to another blog
post which describes exactly how[4] MD5 sigs can be made safe.  

Benson


Comments like this scare the hell out of cryptographers.  The x509
singing certificate serial number is not meant to be a security field.
Making it a security field moves the problem away from strong crypto
(RSA + hash) and into a serial number guessing game.

Right now MD5 is only vulnerable to second preimage attacks which can
be dramatically improved using birthday attack techniques.  The second
preimage attack has been improved quite a lot -- now it even works
under chosen prefixes.  A band-aid like choosing a better serial number
is not a good "solution".  It is entirely possible that first preimage
attacks will be developed on MD5 which will totally bypass /any/ field
monkey business anyone tries.  Even another good second preimage
improvement could bypass any serial number.

SHA1 is available today and works in all SSL capable applications.
Everyone should switch to SHA1.

Also, consider this.  It doesn't matter if *your* SSL certs don't use
MD5 -- someone can generate a new cert matching your details and sign
it with /some other/ CA that *does* use MD5.  Sure, your cert will go
from being signed with CA XYZ using SHA1 to being signed by CA IJK
using MD5.  Nobody will notice.  If you are a user being MitM attacked,
you have no way to get at the "real" CERT to notice that it is supposed
to be signed with SHA1, not MD5.

The best solution is to remove all CA certs that sign with MD5 from
your browser trust.  It is naive to think in a MitM scenario your Nmap
scanner is going to scan and detect a cert signed using MD5 *before*
the attack starts.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAklrp/0ACgkQqaGPzAsl94KCtwCgoT684zGx7GBu2QnQQNQFX+dW
cX8Anjz8ciaBTlFGyMZP9kTp4MNOxyuP
=j7l9
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[NSE] MadHat Unspecific (Jan 12)
- Re: [NSE] bensonk (Jan 12)
  - Re: [NSE] MadHat Unspecific (Jan 12)
  - On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
    - Re: On the topic of SSL and MD5 (was Re: [NSE]) MadHat Unspecific (Jan 12)
    - Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
    - Re: On the topic of SSL and MD5 (was Re: [NSE]) Daniel Roethlisberger (Jan 12)
    - Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)