[Ach] Algorithm Check on Path Validation?

ianG iang at iang.org
Sun Jan 26 18:08:45 CET 2014 

On 26/01/14 13:10 PM, Rainer Hoerbe wrote:
> 
> Am 25.01.2014 um 21:22 schrieb ianG <iang at iang.org>:
> 
>> On 25/01/14 21:12 PM, Rainer Hoerbe wrote:
>>> A potential problem with weak CA signatures (using RSA 1024 and/or MD5) will remain for some time. According the the current cab policy RSA 1024 and MD5 have been banned only for certificates issued from 2011 onwards.
>>
>> I think ordinary MD5 is already out.
> I became aware of that when I encountered it with a private CA. It is obviously being accepted by usual deployments such as apache and enterprise load balancing HW. What would stop someone to fake a cert exploiting an MD5 collision just claiming that a shiny comodo cert was created with rsa1024/md5, if the client does not reject it?


Well, if there are any roots that are signing with raw MD5, you would
have to generate a collision attack which would require a fair amount of
crunching, a lot of certs, and strange stuff in the keys.  The attack
that breached RocketSSL took a few months of attempts.  That of course
might come down...

Certainly if someone is running a private CA they should specify SHA256
or SHA512 for signing.

...

>> Remember, nobody's crunched 1024 as yet.  When they do, it's only one
>> RSA key...  MD5 was collision attacked in around 2005.  It wasn't until
>> 2009 or so that Jake&friends did a collision attack on a root cert using
>> raw MD5.
> Agreed. I am not so concerned about rsa1024, but about MD5, unless one can be sure that this has been rooted out completely.


Indeed!  It is proving surprisingly hard to root it out, which is a slap
on the face for anyone who is keen on algorithmic agility.  The point of
algorithmic agility is that you can switch when we see a problem.  Now
we have a problem.  We can't switch.  Doh!

Even worse, when there was a problem with the SSL suites, they had to
switch *back to RC4*  Double-Doh!

The problem however is not a config problem, it's a software problem.
Not really our target audience, I thought?

iang

More information about the Ach mailing list