Interesting People mailing list archives
Creating a rogue CA certificate
From: David Farber <dave () farber net>
Date: Wed, 31 Dec 2008 10:08:20 -0500
Begin forwarded message: From: Paul Robichaux <PaulR () 3sharp com> Date: December 31, 2008 9:22:23 AM EST To: David Farber <dave () farber net> Subject: FW: [ISN] Creating a rogue CA certificate Perhaps interesting to IP readers? -- Paul Robichaux (paulr () 3sharp com) Sr VP, Infrastructure Services 3Sharp 14700 NE 95th St, Suite 210 Redmond, WA 98052 425-882-1032 x7285 (v) 425-558-5710 (f) MSN: paul () robichaux net Twitter: paulrobichaux ------ Forwarded Message From: InfoSec News <alerts () infosecnews org> Date: Wed, 31 Dec 2008 09:08:14 +0000 To: "isn () infosecnews org" <isn () infosecnews org> Subject: [ISN] Creating a rogue CA certificate http://www.win.tue.nl/hashclash/rogue-ca/ December 30, 2008 MD5 considered harmful today Creating a rogue CA certificate -=- Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger -=- SummaryWe have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a
rogueCertification Authority (CA) certificate trusted by all common web browsers.
This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol. Our attack takes advantage of a weakness in the MD5 cryptographic hash functionthat allows the construction of different messages with the same MD5 hash.
Thisis known as an MD5 "collision". Previous work on MD5 collisions between 2004
and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the web to realistic threats.As a result of this successfull attack, we are currently in possession of a rogue Certification Authority certificate. This certificate will be accepted
asvalid and trusted by all common browsers, because it appears to be signed by
one of the root CAs that browsers trust by default. In turn, any website certificatesigned by our rogue CA will be trusted as well. If an unsuspecting user is a victim of a man-in- the-middle attack using such a certificate, they will be
assured that the connection is secure through all common security indicators: a"https:// " url in the address bar, a closed padlock and messages such as
"This certificate is OK" if they chose to inspect the certificate. This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor ortamper with data sent to secure websites. Banking and e-commerce sites are particularly at risk because of the high value of the information secured
withHTTPS on those sites. With a rogue CA certificate, attackers would be able
to execute practically undetectable phishing attacks against such sites.The infrastructure of Certification Authorities is meant to prevent exactly
this type of attack. Our work shows that known weaknesses in the MD5 hash functioncan be exploited in realistic attack, due to the fact that even after years
ofwarnings about the lack of security of MD5, some root CAs are still using
this broken hash function.The vulnerability we expose is not in the SSL protocol or the web servers
and browsers that implement it, but in the Public Key Infrastructure. Thisinfrastructure has applications in other areas than the web, but we have not investigated all other possible attack scenarios. So other attack scenarios beyond the web are conceivable, such as in the areas of code signing, e-mail
security, and in other areas that use certificates for enabling digital signatures or public key encryption.The rest of this document will explain our work and its implications in a
fair amount of detail. In the interest of protecting the Internet against malicious attacks using our technique, we have omitted the critical details of oursophisticated and highly optimized method for computing MD5 collisions. A
scientific paper about our method is in preparation and will be released after a few months, so that the affected Certification Authorities have had some time to remedy this vulnerability. [...] http://www.win.tue.nl/hashclash/rogue-ca/ _______________________________________________ Please help InfoSecNews.org with a donation! http://www.infosecnews.org/donate.html ------ End of Forwarded Message ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Creating a rogue CA certificate David Farber (Dec 31)