[Ach] Algorithm Check on Path Validation?

Rainer Hoerbe rainer at hoerbe.at
Sun Jan 26 22:32:13 CET 2014


>>>> A potential problem with weak CA signatures (using RSA 1024 and/or MD5) will remain for some time. According the the current cab policy RSA 1024 and MD5 have been banned only for certificates issued from 2011 onwards.
>>> 
>>> I think ordinary MD5 is already out.
>> I became aware of that when I encountered it with a private CA. It is obviously being accepted by usual deployments such as apache and enterprise load balancing HW. What would stop someone to fake a cert exploiting an MD5 collision just claiming that a shiny comodo cert was created with rsa1024/md5, if the client does not reject it?
> 
> 
> Well, if there are any roots that are signing with raw MD5, you would
> have to generate a collision attack which would require a fair amount of
> crunching, a lot of certs, and strange stuff in the keys.  The attack
> that breached RocketSSL took a few months of attempts.  That of course
> might come down...
So we agree that a moderately potent adversary could actually fake an intermediate CA cert using MD5. That would be a quite valuable target, and could be cheaper than hacking, blackmailing or buying a (Sub-)CA. 

> 
> Certainly if someone is running a private CA they should specify SHA256
> or SHA512 for signing.
That particular MD5-issuing CA was configured in 2001 and had the fate of many deployments: never fix a running system.

I disagree thet SHA2 is certain in managed environments. In 2011 for European project, which is handling sensitive health data, we put together a PKI for some 100 users in 10 member states that had to be ECRYPT- Level 7 compliant. Agreeing everybody (CAs + deployers) on SHA2 was a real hassle and almost failed. I would even say that without regulatory pressure it is unlikely to upgrade algorithms.

> 
> The problem however is not a config problem, it's a software problem.

Hmm, not sure about this, because deployers are caught between two stools. Some vendors (Mozilla, MS) protect against MD5 and RSA < 1024. But developers using generic toolkits (java, openssl) are on their own. So the better crypto config should at least warn deployers about products that do not protect against weak signatures. 

- Rainer


More information about the Ach mailing list