Creating a rogue CA certificate

[David Farber <dave () farber net>]

Begin forwarded message:

From: Paul Robichaux <PaulR () 3sharp com>
Date: December 31, 2008 9:22:23 AM EST
To: David Farber <dave () farber net>
Subject: FW: [ISN] Creating a rogue CA certificate

Perhaps interesting to IP readers?

--
Paul Robichaux (paulr () 3sharp com)
Sr VP, Infrastructure Services
3Sharp
14700 NE 95th St, Suite 210  Redmond, WA  98052
425-882-1032 x7285 (v) 425-558-5710 (f)
MSN: paul () robichaux net   Twitter: paulrobichaux


------ Forwarded Message
From: InfoSec News <alerts () infosecnews org>
Date: Wed, 31 Dec 2008 09:08:14 +0000
To: "isn () infosecnews org" <isn () infosecnews org>
Subject: [ISN] Creating a rogue CA certificate

http://www.win.tue.nl/hashclash/rogue-ca/

December 30, 2008

MD5 considered harmful today
Creating a rogue CA certificate

-=-

Alexander Sotirov, Marc Stevens,
Jacob Appelbaum, Arjen Lenstra,
David Molnar, Dag Arne Osvik,
Benne de Weger

-=-

Summary

We have identified a vulnerability in the Internet Public Key  
Infrastructure
(PKI) used to issue digital certificates for secure websites. As a  
proof of
concept we executed a practical attack scenario and successfully  
created a
rogue
Certification Authority (CA) certificate trusted by all common web  
browsers.
This certificate allows us to impersonate any website on the Internet,
including
banking and e-commerce sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic hash
function
that allows the construction of different messages with the same MD5  
hash.
This
is known as an MD5 "collision". Previous work on MD5 collisions  
between 2004
and
2007 showed that the use of this hash function in digital signatures can
lead to
theoretical attack scenarios. Our current work proves that at least one
attack
scenario can be exploited in practice, thus exposing the security
infrastructure
of the web to realistic threats.

As a result of this successfull attack, we are currently in possession  
of a
rogue Certification Authority certificate. This certificate will be  
accepted
as
valid and trusted by all common browsers, because it appears to be  
signed by
one
of the root CAs that browsers trust by default. In turn, any website
certificate
signed by our rogue CA will be trusted as well. If an unsuspecting  
user is a
victim of a man-in- the-middle attack using such a certificate, they  
will be
assured that the connection is secure through all common security
indicators: a
"https:// " url in the address bar, a closed padlock and messages such  
as
"This
certificate is OK" if they chose to inspect the certificate.

This successful proof of concept shows that the certificate validation
performed
by browsers can be subverted and malicious attackers might be able to
monitor or
tamper with data sent to secure websites. Banking and e-commerce sites  
are
particularly at risk because of the high value of the information  
secured
with
HTTPS on those sites. With a rogue CA certificate, attackers would be  
able
to
execute practically undetectable phishing attacks against such sites.

The infrastructure of Certification Authorities is meant to prevent  
exactly
this
type of attack. Our work shows that known weaknesses in the MD5 hash
function
can be exploited in realistic attack, due to the fact that even after  
years
of
warnings about the lack of security of MD5, some root CAs are still  
using
this
broken hash function.

The vulnerability we expose is not in the SSL protocol or the web  
servers
and
browsers that implement it, but in the Public Key Infrastructure. This
infrastructure has applications in other areas than the web, but we  
have not
investigated all other possible attack scenarios. So other attack  
scenarios
beyond the web are conceivable, such as in the areas of code signing,  
e-mail
security, and in other areas that use certificates for enabling digital
signatures or public key encryption.

The rest of this document will explain our work and its implications  
in a
fair
amount of detail. In the interest of protecting the Internet against
malicious
attacks using our technique, we have omitted the critical details of our
sophisticated and highly optimized method for computing MD5  
collisions. A
scientific paper about our method is in preparation and will be released
after a
few months, so that the affected Certification Authorities have had some
time to
remedy this vulnerability.

[...]

http://www.win.tue.nl/hashclash/rogue-ca/


_______________________________________________
Please help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html

------ End of Forwarded Message





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com