[Ach] Algorithm Check on Path Validation?
rainer at hoerbe.at
Sun Jan 26 22:32:13 CET 2014
>>>> A potential problem with weak CA signatures (using RSA 1024 and/or MD5) will remain for some time. According the the current cab policy RSA 1024 and MD5 have been banned only for certificates issued from 2011 onwards.
>>> I think ordinary MD5 is already out.
>> I became aware of that when I encountered it with a private CA. It is obviously being accepted by usual deployments such as apache and enterprise load balancing HW. What would stop someone to fake a cert exploiting an MD5 collision just claiming that a shiny comodo cert was created with rsa1024/md5, if the client does not reject it?
> Well, if there are any roots that are signing with raw MD5, you would
> have to generate a collision attack which would require a fair amount of
> crunching, a lot of certs, and strange stuff in the keys. The attack
> that breached RocketSSL took a few months of attempts. That of course
> might come down...
So we agree that a moderately potent adversary could actually fake an intermediate CA cert using MD5. That would be a quite valuable target, and could be cheaper than hacking, blackmailing or buying a (Sub-)CA.
> Certainly if someone is running a private CA they should specify SHA256
> or SHA512 for signing.
That particular MD5-issuing CA was configured in 2001 and had the fate of many deployments: never fix a running system.
I disagree thet SHA2 is certain in managed environments. In 2011 for European project, which is handling sensitive health data, we put together a PKI for some 100 users in 10 member states that had to be ECRYPT- Level 7 compliant. Agreeing everybody (CAs + deployers) on SHA2 was a real hassle and almost failed. I would even say that without regulatory pressure it is unlikely to upgrade algorithms.
> The problem however is not a config problem, it's a software problem.
Hmm, not sure about this, because deployers are caught between two stools. Some vendors (Mozilla, MS) protect against MD5 and RSA < 1024. But developers using generic toolkits (java, openssl) are on their own. So the better crypto config should at least warn deployers about products that do not protect against weak signatures.
More information about the Ach