[Infowarrior] - Creating a rogue CA certificate

Richard Forno rforno at infowarrior.org
Wed Dec 31 01:03:47 UTC 2008 

http://www.win.tue.nl/hashclash/rogue-ca/

December 30, 2008
MD5 considered harmful today
Creating a rogue CA certificate
Alexander Sotirov, Marc Stevens,
Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de  
Weger
	 	
Summary 		

We have identified a vulnerability in the Internet Public Key  
Infrastructure (PKI) used to issue digital certificates for secure  
websites. As a proof of concept we executed a practical attack  
scenario and successfully created a rogue Certification Authority (CA)  
certificate trusted by all common web browsers. This certificate  
allows us to impersonate any website on the Internet, including  
banking and e-commerce sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic hash  
function that allows the construction of different messages with the  
same MD5 hash. This is known as an MD5 "collision". Previous work on  
MD5 collisions between 2004 and 2007 showed that the use of this hash  
function in digital signatures can lead to theoretical attack  
scenarios. Our current work proves that at least one attack scenario  
can be exploited in practice, thus exposing the security  
infrastructure of the web to realistic threats.

As a result of this successfull attack, we are currently in possession  
of a rogue Certification Authority certificate. This certificate will  
be accepted as valid and trusted by all common browsers, because it  
appears to be signed by one of the root CAs that browsers trust by  
default. In turn, any website certificate signed by our rogue CA will  
be trusted as well. If an unsuspecting user is a victim of a man-in- 
the-middle attack using such a certificate, they will be assured that  
the connection is secure through all common security indicators: a "https:// 
" url in the address bar, a closed padlock and messages such as "This  
certificate is OK" if they chose to inspect the certificate.

This successful proof of concept shows that the certificate validation  
performed by browsers can be subverted and malicious attackers might  
be able to monitor or tamper with data sent to secure websites.  
Banking and e-commerce sites are particularly at risk because of the  
high value of the information secured with HTTPS on those sites. With  
a rogue CA certificate, attackers would be able to execute practically  
undetectable phishing attacks against such sites.

The infrastructure of Certification Authorities is meant to prevent  
exactly this type of attack. Our work shows that known weaknesses in  
the MD5 hash function can be exploited in realistic attack, due to the  
fact that even after years of warnings about the lack of security of  
MD5, some root CAs are still using this broken hash function.

The vulnerability we expose is not in the SSL protocol or the web  
servers and browsers that implement it, but in the Public Key  
Infrastructure. This infrastructure has applications in other areas  
than the web, but we have not investigated all other possible attack  
scenarios. So other attack scenarios beyond the web are conceivable,  
such as in the areas of code signing, e-mail security, and in other  
areas that use certificates for enabling digital signatures or public  
key encryption.

The rest of this document will explain our work and its implications  
in a fair amount of detail. In the interest of protecting the Internet  
against malicious attacks using our technique, we have omitted the  
critical details of our sophisticated and highly optimized method for  
computing MD5 collisions. A scientific paper about our method is in  
preparation and will be released after a few months, so that the  
affected Certification Authorities have had some time to remedy this  
vulnerability.

< - >

http://www.win.tue.nl/hashclash/rogue-ca/

More information about the Infowarrior mailing list