Md5BasedHash uses md5 based hashes. Severe weaknesses have been found in MD5, but at present they do not open vulnerabilities for X.509 certificates, as documented in "Attacks on Cryptographic Hashes in Internet Protocols" by Schneier and Hoffman,

Nevertheless, prudence would suggest moving to SHA-1 (which has fewer problems). See, e.g., the Ubuntu patch for OpenSSL at . Doing this for new certificates would at least model good practices. Adding random content to the serial number when issuing new certs would also be easy and helpful.

It was asserted that Due to the way CAcert uses MD5 hashes for authentication tokens makes this attack pointless, since the attacker doesn't know what the hash is, nor is there any point in colliding with it the only vector of attack is brute force ie 2^80 possibilities but the system limits the number of attempts before rejecting the request, so the attacker would need to keep adding and removing the domain or email address and the md5 token is reset each time.

This makes no sense. The attacker in effect chooses the hash themselves. Given the predictable nature of new CAcert certs, the documented attack is far less than even the design goal of 2^64 for a birthday attack on a 128-bit hash. Read the references for details. As already noted, dangerous and practical attacks don't yet exist, but MD5 is so weak already that they may well come any time.

There are more serious problems with badly implemented signature schemes, e.g. showcases demonstrating PostScript files with different appearance and the same md5 hash. There are even TWO DIFFERENT X.509 CERTIFICATES WITH THE SAME MD5 HASH, but as explained in the document referenced, this cannot be exploited in a meaningful attack.

Update concerning CAcert

Currently (September 2014) the only place where CAcert still uses MD5 is the self signature of the ("Class 1") root certificate.

There is absolutely no security issue in using MD5 for self-signed (aka Root) certificates. By design, Root certificates cannot be validated automatically by checking the signature. They are self-signed, so it's completely irrelevant which algorithm is used for the signature. From the purely technical point of view they don't need to be signed at all, but I guess this was a tradeoff to standardize certificates made during the dawn of the X509 standard...

You should not use MD5 fingerprints to verify a root certificate. CAcert also publishes SHA1 fingerprints, so please use them if you want to verify downloaded certificate files.

CAcert is working on creating new root certificates, which will also use another standard for their signature.

Note that Bug#1058812 at Bugzilla seems to imply that at Mozilla the rejection of a MD5 signed root certificate is considered as a bug...

Colliding X.509 Certificates

Md5BasedHash (last edited 2014-09-14 20:57:30 by BernhardFröhlich)