Md5BasedHash

https://www.cacert.org uses md5 based hashes. Severe weaknesses have been found in MD5, but at present they do not open vulnerabilities for X.509 certificates, as documented in "Attacks on Cryptographic Hashes in Internet Protocols" by Schneier and Hoffman, http://www.ietf.org/internet-drafts/draft-hoffman-hash-attacks-04.txt

Nevertheless, prudence would suggest moving to SHA-1 (which has fewer problems). See, e.g., the Ubuntu patch for OpenSSL at http://www.ubuntulinux.org/usn/usn-179-1 . Doing this for new certificates would at least model good practices. Adding random content to the serial number when issuing new certs would also be easy and helpful.

It was asserted that Due to the way CAcert uses MD5 hashes for authentication tokens makes this attack pointless, since the attacker doesn't know what the hash is, nor is there any point in colliding with it the only vector of attack is brute force ie 2^80 possibilities but the system limits the number of attempts before rejecting the request, so the attacker would need to keep adding and removing the domain or email address and the md5 token is reset each time.

This makes no sense. The attacker in effect chooses the hash themselves. Given the predictable nature of new CAcert certs, the documented attack is far less than even the design goal of 2^64 for a birthday attack on a 128-bit hash. Read the references for details. As already noted, dangerous and practical attacks don't yet exist, but MD5 is so weak already that they may well come any time.

There are more serious problems with badly implemented signature schemes, e.g. showcases demonstrating PostScript files with different appearance and the same md5 hash. There are even TWO DIFFERENT X.509 CERTIFICATES WITH THE SAME MD5 HASH, but as explained in the document referenced, this cannot be exploited in a meaningful attack.

Colliding X.509 Certificates

http://www.win.tue.nl/~bdeweger/CollidingCertificates/

http://www.win.tue.nl/~bdeweger/CollidingCertificates/

http://en.wikipedia.org/wiki/Md5

http://www.schneier.com/blog/archives/2005/06/more_md5_collis.html

http://cryptography.hyperlink.cz/md5/MD5_collisions.pdf

http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

http://en.wikipedia.org/wiki/SHA-1

http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

http://www.schneier.com/blog/archives/2005/06/sha_cryptanalys.html

Md5BasedHash (last edited 2008-05-22 22:16:52 by anonymous)