Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MD5 crack for digital certificates

From: Tim <tim-pentest () sentinelchicken org>
Date: Tue, 10 Feb 2009 13:48:55 -0800
I have been reading about the recent crack on digital certificates
signed using MD5 hashing algorithm. I am a bit confused by the concept
and i request clarification from anyone who understands it. From my
understanding, this is what happens when a certificate is created:

1. Message hash computed (in this instance using MD5)
2. Message hash encrypted with CA private key.
3. Message hash appended to certificate.

How then are they "cracking" md5? when there is the encryption done on
the hash? Im quite hazy on this one.


Hashing basics:

Secure cryptographic hashes are typically expected to provide protection
against three distinct types of attacks:
 1. Preimage attacks
 2. Second preimage attacks
 3. Collision attacks

In the specific situation you describe above, the attackers are taking
advantage of the fact the MD5 has been broken with respect to collision
attacks.  A collision attack is where an attacker generates two separate
documents of his chosing such that the hashes match.  

If he can do this, then perhaps he can create two specific documents
whose hashes are the same:
  A. one certificate request document which asks for a normal server
     certificate. 
  B. A second "evil" certificate request document which asks for a
     sub-CA certificate.

Once the root CA signs document A, which looks legit, the attacker can
go around signing arbitrary certificates with certificate B.  Since the
hashes are the same, browsers and other clients won't be able to tell
that certificate B is evil.


Also, just another one with regards to bruteforce attacks, how does a
brute force attacker (application) know it has reached the correct
password? Because to it, they are just characters right? is there a
flag set by the application being cracked to say "alright, stop, you
got the right one there?"


Yes, being able to tell when you're "done" is an important part of
cracking hashes and ciphers.  Often an attacker has some piece of
plaintext which he knows is a part of the pre-encrypted text so he can
check to see if they match.  (This would be called a known-plaintext
attack.)  In the case of hash cracking, you guess various plaintexts and
see if the hash matches.

hope that helps,
tim
Previous By Date Next
Previous By Thread Next

Current thread: