Forgot your password?
typodupeerror
Security The Internet

CCC Create a Rogue CA Certificate 300

Posted by CmdrTaco
from the they-even-faked-this-dept dept.
t3rmin4t0r writes "Just when you were breathing easy about Kaminsky, DNS and the word hijacking, by repeating the word SSL in your head, the hackers at CCC were busy at work making a hash of SSL certificate security. Here's the scoop on how they set up their own rogue CA, by (from what I can figure) reversing the hash and engineering a collision up in MD5 space. Until now, MD5 collisions have been ignored because nobody would put in that much effort to create a useful dummy file, but a CA certificate for phishing seems juicy enough to be fodder for the botnets now."
This discussion has been archived. No new comments can be posted.

CCC Create a Rogue CA Certificate

Comments Filter:
  • No weakness (Score:2, Informative)

    by GigsVT (208848) on Tuesday December 30, 2008 @01:29PM (#26269183) Journal

    It's important to note that this sort of collision is not taking advantage of any of the known weaknesses in MD5, rather it's brute force.

    This is just to head off the inevitable screaming of "MD5 is broken for everything anyway!!!".

  • by Anonymous Coward on Tuesday December 30, 2008 @01:34PM (#26269231)

    From what I understood from the talk, banks do not - they use SHA1. However, about a third of all CA-signed certificates that Firefox trusts has MD5 signatures.

    The cool thing is that once you have a rogue CA certificate, you can sign your bank phishing site with a SHA1 signature. This was apparently made harder to detect due to CA:s signing their own certificates with MD5 signatures, which means that if you only check for MD5 signatures in the actual certificate, it's trivial to get passed you, and if you check for MD5 signatures in the whole certification chain, you'd mostly get false positives.

  • by TypoNAM (695420) on Tuesday December 30, 2008 @01:34PM (#26269233)
    I hate replying to myself, but if anybody hasn't noticed that CmdrTaco has been trying to tell us something and by this article he has apparently given up:

    Alan Cox Leaves Red Hat
    Posted by CmdrTaco on 10:11 AM -- Tuesday December 30 2008
    from the bet-wherrever-he's-going-he'll-have-electricity-and-heat dept.

    The Fight Over NASA's Future
    Posted by CmdrTaco on 08:15 AM -- Tuesday December 30 2008
    from the still-no-power-at-my-house dept.

    Storm Causes AT&T Outage Across Midwest
    Posted by CmdrTaco on 08:55 AM -- Monday December 29 2008
    from the guess-who-this-includes dept.

    So he's without power and worse no internet at his home, aww poor CmdrTaco. Somebody please think of the slashdot editors! Anybody got a spare generator and fuel? ;)
  • by fastest fascist (1086001) on Tuesday December 30, 2008 @01:40PM (#26269313)
    Using that would probably be more hassle than your average user is willing to put up with. A bigger wtf is, in my opinion: Do so many banking services really rely on a single login/pass combo per user for authentication? When banking security comes up here, I see people worry about having their login+pass revealed, which makes me think that's the only verification their banks use.

    My bank at least also uses a one-time pad system, namely a numbered list of 100 pre-generated codes. So I log in using a username and pass, and then to actually do something with the on-line banking system I'm asked to provide the code that relates to a randomly chosen number between 0000 and 0099. A code can only be used once. So basically if the phishing site manages to get hold of a few numbers from a user's passcode list, the chances are still pretty slim they'll be able to do anything with them.

    Of course, if they scam hundreds of people, they will get a few successes, but not very many.
  • CA's using MD5 (Score:5, Informative)

    by xaosflux (917784) on Tuesday December 30, 2008 @01:40PM (#26269319) Homepage

    FTA, the following common CA's are still using MD5.

    RapidSSL
    C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1

    FreeSSL (free trial certificates offered by RapidSSL)
    C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications

    TC TrustCenter AG
    C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de

    RSA Data Security
    C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority

    Thawte
    C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

    verisign.co.jp
    O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

  • by gclef (96311) on Tuesday December 30, 2008 @01:44PM (#26269355)

    It's in their slides. As of 2008, there were some big names still using MD-5:

    RapidSSL
    FreeSSL
    TrustCenter
    RSA Data Security (!)
    Thawte (!)
    verisign.co.jp

  • Re:No weakness (Score:2, Informative)

    by Anonymous Coward on Tuesday December 30, 2008 @01:48PM (#26269375)

    What? It's absolutely a weakness in MD5 that collisions are possible to find. These guys pushed that a little further by finding a controlled collision within a smallish time window. While the attack does require some computation, it is not "brute force" in the sense that it would not work (in a practical amount of time) against an otherwise secure 128-bit hash, but rather exploits MD5s known weaknesses.

  • by viega (564643) <viega@lis t . o rg> on Tuesday December 30, 2008 @01:50PM (#26269399) Homepage
    A lot of people in the twitterverse seem to think otherwise, but this is not a major breakage of the Internet. See my commentary at O'Reilly: http://broadcast.oreilly.com/2008/12/the-sky-is-not-falling-on-toda.html [oreilly.com]
  • by Opportunist (166417) on Tuesday December 30, 2008 @01:53PM (#26269437)

    Implementing something more secure costs X, cost of fraud is Y, change when Y exceeds X, until then, leave everything untouched.

    That's just how banks work. You can yell at them how insecure their online banking is 'til you're blue, but you won't change a thing. I've tried. More than one way.

    Telling them won't change a thing. Magazines and newspapers don't report it because they don't want to risk those multi-page bank ads. What's left besides breaking the law and using the exploits to make a point?

  • by perp (114928) on Tuesday December 30, 2008 @01:54PM (#26269441)
    If I understand the CCC's paper correctly, as long as *even one* of the CA certs trusted by the browser uses MD5, it is possible (with considerable effort) to create an intermediate CA cert that can be used to sign a cert for any FQDN, say paypal.com. Then with a little DNS poisoning, the user is directed to an https site, with a correct domain name and (if the user looks, not bloody likely) a perfectly good certificate that looks like it was signed by a cert that was signed by a cert trusted by the browser.

    You don't have to create many rogue certs, all you have to to is create one rogue intermediate CA cert that can sign as many certs as you like, all of which will be accepted with the default browser config. This is what the CCC has done.
  • Re:No weakness (Score:3, Informative)

    by blueg3 (192743) on Tuesday December 30, 2008 @02:08PM (#26269561)

    Since MD5 is 128 bits, if computing a collision takes on the order of 2^128 attempts, it is indeed brute force and is not a weakness of MD5 at all. A weakness is a property that allows you to perform some undesirable action -- say, compute a collision -- faster than absolute brute force.

  • by Anonymous Coward on Tuesday December 30, 2008 @02:14PM (#26269605)

    EV requires SHA-1, not SHA-2, but you're right that EV is an effective mitigation. Not all devices (e.g. phones) support SHA-2 yet but all support SHA-1.

    The number of certs issued isn't very relevent; this isn't a second pre-image attack. So, RapidSSL/FreeSSL simply need to stop issuing MD5-signed certs.

  • by Alrescha (50745) on Tuesday December 30, 2008 @02:16PM (#26269627)

    "I wonder how broken the intarwebs would be to me if I simply deleted all the MD5-based root certificates from my box? Would I even notice?"

    I think a better idea would be to simply delete all the certificates from your box (CA certs included!). Then start marking individual web certs as trusted after you inspect them yourself.

    A.

  • by owlstead (636356) on Tuesday December 30, 2008 @02:39PM (#26269855)

    Strange bunch of hackers. Don't expect some rouge students here, one is Arjen Lenstra, which is a well known figure in the security scene.

    Very interesting to see that not only do they issue certificates using MD5 signatures (a very stupid thing to do) but they haven't even bothered to make sure that only leaf certificates can be issued. Or there are probably other CA certificates already issued under these root CA's, making matters even worse.

    The article was very well written and thus easy to read. I'm only concerned about the recommendation of the authors to do nothing if you've been issued an MD5 certificate yourself. Doing nothing does not seem to be a very good advice. I would myself go to another shop and get a SHA-1 signed certificate (or even a SHA-2 signed certificate for those not concerned with low level browsers). At least your customers will know that there is no man in the middle due to the MD5 issue, and you show that you care for your clients' security.

    Hopefully SHA-1 will hold up a bit longer, because last time I looked (a year ago or somewhere in that order), there were zero (0!) certificates that were self signed using SHA-2, which is not a good indication of the current state at all.

    Gosh, that's the second CA I've disabled within Firefox just this week. Interesting times.

  • Re:No weakness (Score:5, Informative)

    by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Tuesday December 30, 2008 @02:50PM (#26270001) Homepage Journal

    Maybe it's my naivety, but wouldn't a hash have to be of infinite length to be able to be used in a way that guarantees no collisions?

    That's what I thought he was saying at first, but it's not. For an n-bit hash, the birthday paradox [wikipedia.org] says you'll need to try an average of (n/2) bits to find a hit. The problem with MD5 is that you can find collisions in much fewer than 2^64 attempts. So sayeth Wikipedia [wikipedia.org]:

    On 18 March 2006, Klima published an algorithm[9] that can find a collision within one minute on a single notebook computer, using a method he calls tunneling.

    So yes, all fixed-length hashes will have an infinite number of collisions. It's just that some hash algorithms make it a whole lot easier to find some of them.

  • by Anonymous Coward on Tuesday December 30, 2008 @02:54PM (#26270047)

    It's not quite as bad as it sounds. Their attack relies on guessing the certificate serial number and date correctly, which is easy with the CA they chose: RapidSSL uses a completely automatic workflow, issues certificates exactly 6 seconds after the signing request and uses sequential serial numbers. If the CA randomizes the signing date and serial numbers, they can prevent this attack. If this CA does that, and they've promised they will do this and/or switch to SHA-1 ASAP, then this hole is patched, for now. If at least one other CA exists which uses MD5 for signing certificates AND uses sequential serial numbers AND has predictable timing, then that CA is indeed an avenue to attack.

    They have to guess these parameters because it's a collision attack: They can not create a new document with the same MD5 hash value as a given document (an existing certificate in this case). They can only create two documents with the same MD5 hash value, if they can add some arbitrary (random looking) bytes to both documents. They use the public key in the legitimate certificate to hide this "garbage". Consequentially the legitimate certificate is non-functional because the key in the certificate isn't an actual public key to which they know they private key. When the CA signs their legitimate certificate, with the right serial number and at the right time, it signs a document which is crafted to have the same MD5 as the other certificate. All other data can be chosen directly by the attacker and just has to conform to the formal specification of a certificate signing request (and look unsuspicious, hence hiding the garbage in the key). The other document (certificate) also has to be a formally valid certificate and can use arbitrary serial numbers and dates, as long as the garbage is hidden in a field that is ignored by the browser (Netscape comment field in their example).

  • by kerubi (144146) on Tuesday December 30, 2008 @03:06PM (#26270173)

    Good conclusions. You write that RapidSSL and FreeSSL should be pulled from IE and Netscape.

    Interesting point about this is, that there is only approx 30 Trusted CA:s in Windows Vista. Compared to how many in XP? 80-100 or so?

    Seems that some have already been pulled?

  • by SpaceLifeForm (228190) on Tuesday December 30, 2008 @03:10PM (#26270209)

    And that is what was done.

    Link [wired.com]

    A powerful digital certificate that can be used to forge the identity of any website on the internet is in the hands of in international band of security researchers, thanks to a sophisticated attack on the ailing MD5 hash algorithm, a slip-up by Verisign, and about 200 PlayStation 3s.

    "We can impersonate Amazon.com and you won't notice," says David Molnar, a computer science PhD candidate at UC Berkeley. "The padlock will be there and everything will look like it's a perfectly ordinary certificate."

  • Re:No weakness (Score:4, Informative)

    by SanityInAnarchy (655584) <ninja@slaphack.com> on Tuesday December 30, 2008 @04:00PM (#26270813) Journal

    Actually, yes it is. You just need a strong enough cipher.

    The way I understand it, for example, 4096-bit RSA either requires a dramatically new approach (quantum computing), or, with current technologies, requires every atom in the Universe to be assembled into a massive compute cluster, and that cluster needs to run for longer than the heat death of the Universe.

    Botnets do change some things, but they don't change basic mathematics.

  • Re:No weakness (Score:3, Informative)

    by amorsen (7485) <benny+slashdot@amorsen.dk> on Tuesday December 30, 2008 @05:12PM (#26271903)

    If computing a collision takes on the order of 2^128 attempts, it won't happen. Anyway, you can make a collision of a 128-bit hash in 2^64 attempts, but even that is out of the reach for most people. Unfortunately you can generate collisions for MD5 much much faster than 2^64 operations.

Never put off till run-time what you can do at compile-time. -- D. Gries

Working...