Not all MD5 certs are vulnerable

UPDATE: Gah, I missed this on the first read through. They also point out that some CAs randomize their serial numbers.

I've been looking into certificates. Not all of them are vulnerable to this attack because some of them randomize their serial numbers. This shows that the solution to the attack isn't necessarily to switch from MD5 to SHA-1 (although that's a good idea). SHA-1 is also theoretically vulnerable in the near future. I would suggest that it's equally a problem that certs are vulnerable to birthday attacks (regardless of algorithm) as well as weaknesses in MD5.

This attack can only work when the contents that will be hashed are predictable. However, certificates contain two fields that are chosen by the certificate authority. One is the "serial number", the other is the "validity period".

The hackers chose Equifax/RapidSSL, because Equifax allows the hacker to predict these fields. Each time they issue a certificate, Equifax simple increments the number by one. Since they issue another certificate every few minutes, you cannot be guaranteed to guess the number the first try. In this attack, the attackers had to apply for several certificates before the predicted sequence number.

However, the serial number can be ANYTHING. It just has to be unique for every certificate, but it doesn't even have to be a number. Any text field will do.

Thawte uses what appears to be a random value. The following is a picture of certificate from Thawte:

What we see in this picture is that Thawte uses an essentially random 16-byte value of "6E:57:69:0A:10:4F:AA:FF:81:74:F8:38:8B:08:0D:F1", instead of the Equifax, which uses a simple number like "643015".

If hackers cannot predict this number, then they cannot create the necessary "hash collision", and this attack won't work. That's because the sequence number comes BEFORE the hacked portion of the certificate, not AFTER. Even using the weak MD5 hash algorithm, properly randomized serial numbers will stop this attack. Instead of calling this "MD5 considered harmful", they should have called it "Birthday Attacks against certs considered harmful".

However, I'd suggest the real way to solve this is to randomize only the lower 8-bits of the sequence number. That way, hackers will have to buy 256 certificates in order to get the correct one. This means more profit for the CA. Step 1: insecure MD5 certs. ... Step 3: Profit!

I am not dead AND guessing redacted documents...

Skip to end for updates on this ongoing speculation....

(All this time without a blog post and this will be a short one. I am sorry I haven’t been posting a lot lately but that is what happens when *GASP* paying customers have to come first.)

Like a lot of other people, I have been speculating about the "internet ending" bug that will be displayed at CCC tomorrow by Alexander Sotirov and Jacob Applebaum. I would like to start by saying that I am not in anyway making fun of them or their findings. These are very smart people, and if they say they can cause problems for internet infrastructure, I am preparing to spend the next few days reading books while the internet is not a safe place.

This post is not really about the bug but the redacted document used as an abstract about the talk. I know a lot of work has been done in the space of reading or making sense of redacted docs in the past, but I am an amateur so I thought I would write about my take. I have no insider info, and anything I say is just a pure guess.

At first look of the document, I noticed two areas that stand out. One is the last redacted statement of the second paragraph, and the second is the first redacted statement of the last paragraph. They both mention infrastructure in a way that implies (at least to me) that the first is a shortened or abbreviated version of the second.



The next thing I did is count the characters in each redacted block. I first printed out the image and went old school on it with pen and paper. I marked the length of each block, making a judgment call about whether the spaces are including in the redaction, and measured a normal text block of the same length and saw how many characters I could come up with. I got roughly 8 for the first one and around 25 for the second one.



Based on the context of the first and second sentence, I assumed that unless the first 8 characters is a proper noun like Google, it would have to be more generic and include something like “the.” I am not ruling the proper noun out BTW, I am just focusing on more generic terms since information about the attack mentions how widespread the attack is.

Some possibilities I came up with while brainstorming on SILC with Nick DePetrillo for the first interesting redacted block:
"the DNS"
"the PKI"
"the SSL"
"the web"
"the SIP"
"the SSH"

I would list Google and VeriSign but based on the sentence structure you would have to make it plural and show ownership, which would put both of them over the character limit. It was also suggested that Akamai would fit but I can’t see a way to take advantage of that without serious DNS manipulation. So, we have it covered with the DNS entry above.

So what is my guess? Based on HD Moores post about how it could reap benefits and the large resource investment leads me to believe it has something to do with PKI (public key cryptography).

There is known, theoretical weakness in PKI. Chinese researchers found they could create hash collisions in SHA-1 using 2⁶⁹ operations. This could probably be done with less than a million machines working for less than 6-months, well within the power of a botnet. The way an attack could work is that hackers create two certificates that hash to the same value. The first would be for "PayPal" (for example) and the second for "Fubar Inc." The certificate authority, such as Verisign, signs the Fubar certificate, thus also signing the fake PayPal certificate. From that point on, the hacker is now PayPal as far as the rest of the world is concerned. It's not just SSL that is vulnerable, but entire trust chains based upon PKI. This could be used to hack into a company's LDAP system, for example, because now you become a trusted member of that system.

UPDATE 1: The fourth paragraph beings with: The main result of our proof of concept attack is that we are in possession of a *redacted*.
I bet they are in possession of a bogus cert for a website that will evaluate correctly. For instance they have created a fake cert for www.paypal.com that when verified by a browser will check out and not throwing up and phishing filters in any of the major browsers.

UPDATE 2: Speech announced titled "MD5 considered harmful today: Creating a rogue CA Certificate"

Lori Drew vs. Rule of Law

Geeks are up in arms over the Lori Drew verdict. It stretched the meaning of the Computer Fraud and Abuse Act (CFAA), which outlaws hacking, to also mean any violation of a website's Terms of Service (ToS). (Lori Drew had created an account on MySpace using the pseudonym Josh, which violates their ToS).

The chilling effect of stretching the CFAA is certainly important, but a more basic issue is the way this challenges the "Rule of Law".

One of the foundations of free society as we know it is something called the "Rule of Law". The rule is that law applies equally to everyone without prejudice. The law applies to our leaders just as much as the common man, and the common man won't get lynched by a mob. The rule of law is hostile to both a dictatorship as well as the anarchy of mob rule.

The Lori Drew case is the foulest example of mob rule. A tragedy happened, a teenage girl committed suicide after being "cyberbullied". No law was broken, though. Lori Drew wasn't even the main "bully" - it was her daughter, and daughter's friends. Yet, the mob demanded "justice", so the prosecutors stretched the law in order to haul her into court and lynch her.

Unfortunately, geeks support the concept of mob rule - they just disagree which law was chosen. Geeks regularly violate the ToS of websites. Geeks frequently create accounts under pseudonyms. The understand why using the CFAA to convict Drew was a bad idea. They just wanted a different law to be chosen, one that didn't impact geeks. When the case first hit the press, comments on the geek news site "Slashdot" seemed in general agreement that some means needed to be found to "make that bitch fry".

The disrespect for the rule-of-law stems from our culture. There are many TV shows based on courtroom drama. The "rule of law" is frequently ignored - we don't want the laws applied fairly. We want the laws to be prejudiced toward the protagonist of the show.

I watched "Batman: The Dark Knight" on my last airplane flight. In the movie, Batman tortures the Joker and wiretaps everyone's cellphone in order to combat terrorism. Why is this ok for Batman, but not for George Bush? It's because Batman is our hero, and Bush is not.

Bush himself has damaged the credibility of the rule of law. He arbitrarily labeled American citizens as "enemy combatants" to deny them habeus corpus. He hired/fired Department of Justice lawyers to fulfill political ends. He wants amnesty for telecommunications firms that broke the law. The issue is not that any of these things were bad, the issue is that Bush applied the law arbitrarily.

J.K. Rowlings "Harry Potter" series is a great example of the pop culture disrespect for the rule of law. In her books, Harry Potter and other protagonists commit egregious acts for purely malicious reasons. Yet, because they are "the good guys", they are held to a different standard. Personally, I was rooting for the antagonist (Voldemort).

Geek culture is intensely political, yet they don't seem to have a political philosophy more complex than always rooting for the underdog. All geeks support the EFF (Electronic Freedom Foundation) for their support of electronic freedoms. Yet, the EFF has no "manifesto" of what those electronic freedoms should be. They support both the idea that "code" is a form of speech that should be free, but also that "code" should be regulated by the government. It all depends upon whether it's the little guy we are talking about or a large corporation. Yet, these are the same thing. I quit my job and started writing code in my apartment ten years ago that has now become a billion dollar business within IBM, a very large corporation. Regulation of that code should not depend upon whether it was just me trying to sell that product, or IBM.

So yes, we should seek clarification of the meaning of the Computer Fraud and Abuse Act, but that should be secondary. Our primary political fight in the Lori Drew case should be against the purely arbitrary application of the law, which offends the very basis of our society.