Tuesday, December 30, 2008

Forging RSA-MD5 SSL Certs

Wow. This is a big deal:
The forged certificates will say they were issued by a CA called "Equifax Secure Global eBusiness", which is trusted by the major browsers. The forged certificates will be perfectly valid; but they will have been made by forgers, not by the Equifax CA.
To do this, the researchers exploited a cryptographic weakness in one of the digital signature methods, "MD5 with RSA", supported by the Equifax CA. The first step in this digital signature method is to compute the hash (strictly speaking, the cryptographic hash) of the certificate contents.
The hash is a short (128-bit) code that is supposed to be a kind of unique digest of the certificate contents. To be secure, the hash method has to have several properties, one of which is that it should be infeasible to find a collision, that is, to find two values A and B which have the same hash.
It was already known how to find collisions in MD5, but the researchers improved the existing collision-finding methods, so that they can now find two values R and F that have the same hash, where R is a "real" certificate that the CA will be willing to sign, and F is a forged certificate. This is deadly, because it means that a digital signature on R will also be a valid signature on F -- so the attacker can ask the CA to sign the real certificate R, then copy the resulting signature onto F -- putting a valid CA signature onto a certificate that the CA would never voluntarily sign.
Browsers rarely get their list of approved CA certs modified throughout the course of their lives. Most people don't know how to change those, let alone why they should. In Firefox 3, the CA can be removed by going to Preferences > Advanced > Encryption > View Certificates > Authorities > Select the certificate and click delete. I assume the CA cert in question is the one with the following foot print, but cannot say for certain (since it has yet to be published):
8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:98:CC
The question is how to respond to this. There are many CAs that use RSA-MD5 instead of RSA-SHA1. Ripping them from the CA list is probably a good idea, even if it breaks a few web apps. If you are the admin of an e-commerce site using a cert issued by one of these RSA-MD5 CAs, you should probably: 1) Ask for your money back and switch to a different CA, 2) Ask for a new cert issued by an RSA-SHA1 CA, or 3) Forego the purchased certs in lieu of new RSA-SHA1 issued certs, probably in that order of effectiveness.
It is interesting to see a practical attack with MD5 collisions, though. Many people thought they weren't likely.
UPDATED: More info here, too.

4 comments:

Anonymous said...

I think your MD5 is missing a couple bytes...

correct md5=8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:98:CC

It appears as though all CA's that use RSA with MD5 are affected. I found a couple more in my cert manager, but its quite a tedious process to go though and manage without some sort of tool to make it easier.

I'll definitely be paying even more careful attention to SSL sites after this.

Tim MalcomVetter said...

Adam,

Thanks for catching the missing bytes! It will be interesting to see if Mozilla publishes an update that removes the old RSA-MD5 CAs.

Anonymous said...

Do you generally consider 256 bit SSL Certificates adequate enough? I know 128bit is quite a common level of encryption and I was just wondering what your professional opinion is on the adequacy?

Tim MalcomVetter said...

Oliver,

The certificates have very little to do with the size of the keys used during the SSL/TLS process. That has much more to do with the web servers. For example, today's average apache install with openssl can support 256 bit symmetric keys during the payloads of the SSL/TLS tunnels. The certificates are just used for authenticating the web server and then for negotiating a randomly selected session key that the client and server share.

Last time I checked, for instance, a given IIS 6 (Windows 2003) server can only support 128 bit RC4 symmetric keys for the tunnel.

In asymmetric encryption, which is what the public key encryption algorithms are that are leveraged in certificates, 256 bit keys is very, very small. 1024 bit public keys is the norm, but 2048 or even 4096 bit public/private key pairs are becoming very common.