1) OpenSSL malformed signature checking:
http://openssl.org/news/secadv_20090107.txt
This effects a great number of products and installations.
Who is affected?
=================
Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client
when connecting to a server whose certificate contains a DSA or ECDSA key.
Use of OpenSSL as an SSL/TLS client when connecting to a server whose
certificate uses an RSA key is NOT affected.
Verification of client certificates by OpenSSL servers for any key type
is NOT affected.
Recommendations for users of OpenSSL
=====================================
Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release
which contains a patch to correct this issue.
The patch used is also appended to this advisory for users or
distributions who wish to backport this patch to versions they build
from source.
Recommendations for projects using OpenSSL
===========================================
Projects and products using OpenSSL should audit any use of the
routine EVP_VerifyFinal() to ensure that the return code is being
correctly handled. As documented, this function returns 1 for a
successful verification, 0 for failure, and -1 for an error.
General recommendations
========================
Any server that has clients using OpenSSL verifying DSA or ECDSA
certificates, regardless of the software used by the server, should
either ensure that all clients are upgraded or stop using DSA/ECDSA
certificates. Note that unless certificates are revoked (and clients
check for revocation) impersonation will still be possible until the
certificate expires.
2) MD5 Impersonation:
An MD5 flaw has been suggested theoretically in various ways, but a complete
proof of concept was not completely dissected, described and announced until
December 30, 2008. I think that MD5 impersonation "discovery" is now owned by
Alexander Sotirov, Mark Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar,
Dag Arne Osvik, Benne de Weger from the Netherlands, announced at Chaos on
December 30, 2008 in Berlin - here's that presentation
http://www.win.tue.nl/hashclash/rogue-ca/downloads/md5-collisions-1.0.pdf
Here's the HomeLand Security Recommendations two days later:
[added Jan. 2] US-CERT, the US Department of Homeland Security's Computer
Emergency Readiness Team,
published Vulnerability Note VU#836068:
"MD5 vulnerable to collision attacks". Interesting quotes from this
note:
"Do not use the MD5 algorithm"
"Software developers, Certification Authorities, website owners,
and users should avoid using the
MD5 algorithm in any capacity. As previous research has
demonstrated, it should be considered
cryptographically broken and unsuitable for further
use.""Scrutinize SSL certificates signed by certificates using the MD5
algorithm"
"Users may wish to manually analyze the properties of web site
certificates (...)
Certificates listed as md5RSA or similar are affected.
Such certificates that include strange or suspicious fields or
other anomalies may be fraudulent.
Because there are no reliable signs of tampering it must be noted
that this workaround is
error-prone and impractical for most users."
Here's Microsoft's Response (touting the EV certs of course and their update
process [which was only released this week] which says it's released on
12/30/0):
Do not sign digital certificates with MD5
Certificate
Authorities should no longer sign newly generated certificates using
the MD5 algorithm, as it is known to be prone to collision attacks.
Several alternative and more secure technologies are available,
including SHA-1, SHA-256, SHA-384 or SHA-512.So if you guys discover something
that doesn't make sense? Follow up on it. Dissect it and publish it in a big
way.... Many of us ignored the DNS flaws described and exploited by Kaminsky
for years. Believe me there are a great many working exploits before every
published exploit.
Yes, I was asleep working on a project....but Hans and I discussed some of the
cert auth triangulation auth issues and wondered when it might be coming!
> Date: Wed, 7 Jan 2009 16:19:17 -0700
> From: pl...@lufthans.com
> To: PLUG-discuss@lists.PLUG.phoenix.az.us
> Subject: OpenSSL, MD5, CA security flaws, oh my
>
> moin moin,
>
> Lisa has probably posted the second issue, but I'm a bit behind on the
> list. The first one appears to be from today and I don't see anything from
> her today.
>
> http://openssl.org/news/secadv_20090107.txt
>
> OK, so DSA and ECDSA certs in OpenSSL now are suspect, but RSA is still
> safe, except...
>
> http://www.win.tue.nl/hashclash/rogue-ca/
>
> Hmm, it's possible to impersonate a CA and create RSA certs that'll be
> accepted :(.
>
> I think the 'Outline of the attack' section indicates that the original CA
> certificate is needed, so CAs moving away from MD5 can avoid the problem.
>
> ciao,
>
> der.hans
> --
> # http://www.LuftHans.com/ http://www.LuftHans.com/Classes/
> # Strangers are friends just waiting to happen!
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
_________________________________________________________________
Windows LiveTM HotmailĀ®: Chat. Store. Share. Do more with mail.
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t1_hm_justgotbetter_howitworks_012009---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
