[Infowarrior] - .Major break in MD5 signed x.509 certificates

Richard Forno rforno at infowarrior.org
Tue Dec 30 15:30:47 UTC 2008 

Major break in MD5 signed x.509 certificates

http://www.veracode.com/blog/2008/12/major-break-in-md5-signed-x509-certificates/

by Chris Wysopal

December 30, 2008

Jacob Appelbaum and Alexander Sotirov just gave a presentation at the  
Chaos Communications Congress in Germany. They have implemented a  
practical MD5 collision attack on x.509 certificates. All major  
browsers accept MD5 signatures on certs even though it has been shown  
to have the collision problem for almost 2 years now. If you can  
generate your own x.509 certificates you can perform perfect MITM  
attacks on SSL. They went one better and generated an intermediate  
certificate authority certificate so they could sign their own  
certificates. This way they only need to do the attack once and can  
create as many valid certificates as they want.

6 Certificate Authorities are still using MD5 signing: RapidSSL,  
FreeSSL, TrustCenter, RSA Data Security, Thawte, verisign.co.jp. They  
are not going to be happy about this new attack. They decided to  
target RapidSSL because they were able to better predict some of the  
certificate fields (serial number and time) because of the way  
RapidSSL issues the certificates. They were able to perform the  
computations required with 200 Playstation 3s over 1-2 days. Its  
estimated to be the same as 8000 Intel cores or $20,000 on Amazon EC2.

They ask the question, “Can we trust anything signed with a cert  
issued by a CA that signed with MD5 signatures in the last couple of  
years?” The effected CAs have been notified and are going to switch to  
SHA-1. They also ask the question, “Why did it take an implemented  
attack to get the CAs to switch to SHA-1?” After all the attack has  
been known for almost 2 years now. We used the slogan, “Making the  
theoretical practical since 1992” at L0pht Heavy Industries to  
highlight the need to implement attacks to get some organizations to  
improve the security of the implement. It is a bit sad to see that in  
2008 demonstration is still necessary.

The researchers were worried about reprecussions by the CAs that might  
want to gag them. They had Mozilla and Microsoft sign NDAs that they  
wouldn’t tell the CAs about the problem until they could give their  
presentation. They think researchers should consider NDAs with vendors  
for protection.

You can see a demo of their forged cert here: https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/

They purposely dated the cert to expire on 9/1/2004 so you need to  
back date your machine for it to be validated properly.

More information about the Infowarrior mailing list