Nmap Development mailing list archives
On the topic of SSL and MD5 (was Re: [NSE])
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Mon, 12 Jan 2009 20:28:26 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 12 Jan 2009 10:46:39 -0800 bensonk () acm wwu edu wrote: ...snip...
There's also a link to another blog post which describes exactly how[4] MD5 sigs can be made safe. Benson
Comments like this scare the hell out of cryptographers. The x509 singing certificate serial number is not meant to be a security field. Making it a security field moves the problem away from strong crypto (RSA + hash) and into a serial number guessing game. Right now MD5 is only vulnerable to second preimage attacks which can be dramatically improved using birthday attack techniques. The second preimage attack has been improved quite a lot -- now it even works under chosen prefixes. A band-aid like choosing a better serial number is not a good "solution". It is entirely possible that first preimage attacks will be developed on MD5 which will totally bypass /any/ field monkey business anyone tries. Even another good second preimage improvement could bypass any serial number. SHA1 is available today and works in all SSL capable applications. Everyone should switch to SHA1. Also, consider this. It doesn't matter if *your* SSL certs don't use MD5 -- someone can generate a new cert matching your details and sign it with /some other/ CA that *does* use MD5. Sure, your cert will go from being signed with CA XYZ using SHA1 to being signed by CA IJK using MD5. Nobody will notice. If you are a user being MitM attacked, you have no way to get at the "real" CERT to notice that it is supposed to be signed with SHA1, not MD5. The best solution is to remove all CA certs that sign with MD5 from your browser trust. It is naive to think in a MitM scenario your Nmap scanner is going to scan and detect a cert signed using MD5 *before* the attack starts. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklrp/0ACgkQqaGPzAsl94KCtwCgoT684zGx7GBu2QnQQNQFX+dW cX8Anjz8ciaBTlFGyMZP9kTp4MNOxyuP =j7l9 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] MadHat Unspecific (Jan 12)
- Re: [NSE] bensonk (Jan 12)
- Re: [NSE] MadHat Unspecific (Jan 12)
- On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) MadHat Unspecific (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Daniel Roethlisberger (Jan 12)
- Re: On the topic of SSL and MD5 (was Re: [NSE]) Brandon Enright (Jan 12)
- Re: [NSE] bensonk (Jan 12)