Hi, How do you determine what hash the CA is using for a particular certificate? You can't do that just be looking at the CA's root cert. You need to look at the actual cert presented by the web server or similar.
However, if you can find a list of CAs somewhere (e.g. if someone's compiled a list and stuck it up on the web) that shows what hash they do use, then you could use that to selectively remove CA certs. Just be aware of unintended consequences (e.g. if you have anything like a webservice that runs unattended and can no longer connect due to cert trust issues) Cheers Ken -----Original Message----- From: Troy Meyer [mailto:troy.me...@monacocoach.com] Sent: Friday, 2 January 2009 4:23 AM To: NT System Admin Issues Subject: RE: Hackers create rogue CA certificate using MD5 collisions Thanks for the clarification Ken. Your last comment said the only way to prevent the issue would be to examine each cert presented and see if the sig is encrypted with MD5, but following up on Tim's comment: if you removed all CAs from your Trusted Root Store that used MD5 on their sigs (all of the CAs that would be vulnerable to this attack) wouldn't that mean remove the risk? Thought being: if a hacker created a fake intermediate CA, but your machine doesn't trust the CA at the top of the chain (because you removed it from your trusted root store), wouldn't you in turn not trust that fake intermediate (and any of its falsely issued certificates)? -troy -----Original Message----- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Wednesday, December 31, 2008 7:32 PM To: NT System Admin Issues Subject: RE: Hackers create rogue CA certificate using MD5 collisions This isn't the issue at all at the moment. Root CA certs can be signed in crayon, as long as you trust the integrity of the cert, you are OK. No one is cracking root CA certs. They are generating certificate requests (two of them - one for an end point purpose e.g. web server authentication, and one for an intermediate CA) that will result in the same signing hash from the CA if the CA is using MD5 Cheers Ken -----Original Message----- From: Troy Meyer [mailto:troy.me...@monacocoach.com] Sent: Thursday, 1 January 2009 9:09 AM To: NT System Admin Issues Subject: RE: Hackers create rogue CA certificate using MD5 collisions If the PS3 guys can crack an MD5 encrypted root certificate, they can create their own CA that looks like a trusted authority and in turn the CA can issue certificates that appear to be from that fake trusted authority. If a public CA has a root cert that is encrypted with SHA1 they aren't susceptible (yet) to having their certs faked. Faked certs could be used to make false websites look secure or genuine, could be used to deploy software that appears to be from a trusted vendor, or could be used to gain access to services/systems authenticated through public certs. Hopefully this will be a kick in the rear to CAs using MD5. If you run a site or service that uses certs from CAs like Equifax, Thawte, or GTE (all have at least one valid CA with a root cert encrypted with MD5), check your cert and the encryption of the signature at the top of the certificate path. If your root cert was encrypted with MD5, I would get your CA on the phone and have a conversation about possible risks. -troy -----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, December 31, 2008 1:06 PM To: NT System Admin Issues Subject: Re: Hackers create rogue CA certificate using MD5 collisions On Wed, Dec 31, 2008 at 11:13 AM, David Lum <david....@nwea.org> wrote: > Microsoft is not aware of specific attacks against MD5, so previously > issued certificates that were signed using MD5 are not affected and do not > need to be revoked. This issue only affects certificates being signed using > MD5 after the publication of the attack method. I thought the idea was that an attacker would forge a certificate, with info matching an existing certificate, but using a private key of their own, and then set their fleet of PlayStation 3's to work to come up with an MD5 collision, so they could use the signature from a real certificate to sign their forgery. Or something like that. So not only does this affect already-issued certificates, it depends on them. Or am I misunderstanding? > Most public Certificate Authority roots no longer use MD5 to sign > certificates, but have upgraded to the more secure SHA-1 algorithm. But as long as browsers still accept the older certificates, they'd still be vulnerable, right? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
