So, if I understand things correctly, the way to definitive way to protect against this potential attack would be to remove all root certs that use the Md5RSA signature algorithm? What are the downsides?
...Tim > -----Original Message----- > From: Ken Schaefer [mailto:k...@adopenstatic.com] > Sent: Wednesday, December 31, 2008 7:28 PM > To: NT System Admin Issues > Subject: RE: Hackers create rogue CA certificate using MD5 collisions > > The attack relies on creating two cert requests - one for a legitimate > server authN cert, and one for an intermediate CA. You get the CA to > sign the AuthN cert (e.g. for a website), but since the two cert > requests that we have specially crafted end up with the same MD5 > verification hash, we can then use the intermediate CA cert to start > signing our own, illegitimate, certs. > > Finding MD5 collisions for existing certs would probably not be > feasible yet. This attack relies, at the moment (from my understanding) > on generating the two cert requests concurrently - the second one (for > the CA) using padding data to generate the collision. It's easier > (apparently) to generate the collision if you are creating both at the > same time. > > > But as long as browsers still accept the older certificates, they'd > > still be vulnerable, right? > > It doesn't matter what the rogue cert is signed with (could be SHA1). > The issue is CAs using MD5 to sign certificates (thus allowing an > attacker to come up with their own intermediate CA). The rogue > intermediate CA could sign certs using SHA1. > > But "yes" - if all root CAs that were trusted were using SHA1 only > and/or refusing to sign intermediate CAs with the same key that they > use for end point verification, we wouldn't have this current problem. > > Cheers > Ken > > -----Original Message----- > From: Ben Scott [mailto:mailvor...@gmail.com] > Sent: Thursday, 1 January 2009 8:06 AM > To: NT System Admin Issues > Subject: Re: Hackers create rogue CA certificate using MD5 collisions > > On Wed, Dec 31, 2008 at 11:13 AM, David Lum <david....@nwea.org> wrote: > > Microsoft is not aware of specific attacks against MD5, so previously > > issued certificates that were signed using MD5 are not affected and > do not > > need to be revoked. This issue only affects certificates being signed > using > > MD5 after the publication of the attack method. > > I thought the idea was that an attacker would forge a certificate, > with info matching an existing certificate, but using a private key of > their own, and then set their fleet of PlayStation 3's to work to come > up with an MD5 collision, so they could use the signature from a real > certificate to sign their forgery. Or something like that. So not > only does this affect already-issued certificates, it depends on them. > Or am I misunderstanding? > > > Most public Certificate Authority roots no longer use MD5 to sign > > certificates, but have upgraded to the more secure SHA-1 algorithm. > > But as long as browsers still accept the older certificates, they'd > still be vulnerable, right? > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
