| |||||||||||||
25C3: MD5 collisions crack CA certificate (heise online)25C3: MD5 collisions crack CA certificate (heise online)Posted Dec 31, 2008 20:08 UTC (Wed) by jd (guest, #26381)In reply to: 25C3: MD5 collisions crack CA certificate (heise online) by endecotp Parent article: 25C3: MD5 collisions crack CA certificate (heise online)
That might not be so easy. I'm seeing reports that Thawte and a couple of other major CAs use MD5s. At best, phishing scams will worsen, with browsers unable to tell the difference between the real site and a fake one in these cases.
Now, I'm also concerned about SASL. Cyrus SASL uses CRAM-MD5 and DIGEST-MD5, for example, and I don't see any mention of non-MD5 hash-based mechanisms within SASL as a whole. (It seems to be a choice of plaintext or MD5.) If - and it's a big if - the attack could also be used to compromise SASL, it'll be more troublesome. SSL already supports other hashes and so it's just a matter of disabling the broken mechanism. SASL would seem to require a much more extensive update at a much lower level. That means any update will take a lot longer before it becomes effective.
SASL is used virtually everywhere SSL isn't - LDAP and Kerberos, for example. Therefore, by implication, mechanisms that use any of these (such as MS' Active Directory which uses Kerberos), could be much less secure than conventional wisdom has believed.
It is unclear to me just how generalized this attack is, in terms of how many of the uses of MD5 are now vulnerable, but at this point can any MD5-based mechanism have any real credibility, even if this specific attack turns out not to affect it? Will MD5 users wait to be affected or will they be pro-active (for once)? Can major users of MD5 (like much of the financial world) afford to migrate away before things go from proof-of-concept to something worse? Will major users of MD5 even be aware that they are?
(Log in to post comments)
25C3: MD5 collisions crack CA certificate (heise online) Posted Dec 31, 2008 20:56 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
there is a difference here.
the CA certs use the MD5 to validate the plaintext and then make extensive use of the plaintext. and the plaintext can be an arbatrary length, but only some of it will have attention paied to it.
with authentication like SASL the size of the input is drasticly limited, and everything in it matters. this makes it _very_ hard to play the games that are being used to break MD5.
it's actually easier to just compute every possible legal input value and what the result of the hash is, then store the result on a few TB of disk space than to use the sort of attack making the news. and this sort of 'rainbow table' attack can be used no matter how strong or weak the hash is against being broken. the only defense against a rainbow is to have such a large variety of possible inputs that the table in so large as to be impractical
25C3: MD5 collisions crack CA certificate (heise online) Posted Jan 1, 2009 12:14 UTC (Thu) by mb (subscriber, #50428) [Link]
> the only defense against a rainbow is to have such a large variety of possible inputs that the table in so large as to be impractical
I don't think so. Salts are a pretty effective countermeasure against rainbow tables.
25C3: MD5 collisions crack CA certificate (heise online) Posted Jan 1, 2009 14:14 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
Salt increases the variety of possible inputs. You need to include all possible salt values along with the domain of "possible" passwords, for reasonable salt sizes this swamps any conceivable time-space tradeoff.
Perhaps you (mb) or dlang were misunderstanding, or perhaps your understandings passed without connecting.
A rainbow table is one kind of time/space tradeoff for multiple attacks on the same system. The effort E2 to make a reliable table is always strictly greater than the effort E1 to brute force a single hash of the same sort found by the table. If you use the table to break N passwords and E2 > E1 * N then you wasted resources by using Rainbow tables. This is why "public" projects to create shared tables are popular. And after all this, it can still take noticeable effort to use the Rainbow table to "look up" a password, since the nature of the table requires hash iterations to do the lookups.
dlang does the Rainbow Table's inventor wrong by associating a mere look-up table with the very much cleverer trick used in actual Rainbow Tables (go read up on them, it's a really good trick).
25C3: MD5 collisions crack CA certificate (heise online) Posted Jan 1, 2009 3:58 UTC (Thu) by iabervon (subscriber, #722) [Link]
In general, SASL is about providing an authenticating secret to a remote system. Both the server and an authentic client know the same secret. The server issues a challenge which is effectively a random seed. The client is required to append the password, hash the total, and send the result. The point of the hash is to make it infeasible to find the password given just the response. Finding an MD5 collision would enable an attacker to find a different challenge and password which would lead to the same response. That is, if the server has issued a different challenge, and the user had had a different password, the user could respond with the same value the user actually did respond with, and the server would have accepted it.
But, of course, this doesn't help the attacker at all, because the server will issue some third challenge next time, and the attacker's guess at the password won't work for that challenge. If the server issued any particular known challenge, then the attacker could authenticate simply by replaying the authentic client's observed response.
There hasn't been any particular progress at reversing the hash; that is, finding all of the texts that have a given hash. And finding some random single text that has a given hash isn't so interesting when it's just another wrong password which shares an obscure and strongly useless criterion with the real password.
25C3: MD5 collisions crack CA certificate (heise online) Posted Jan 1, 2009 14:34 UTC (Thu) by danpb (subscriber, #4831) [Link]
There is no need to be worried about SASL in general. The main idea behind SASL is that it provides a generic authentication API / protocol for applications to use, into which you can plug many different auth mechanisms. As such Digest-MD5 is just one of very many auth mechanisms for SASL, others being plain password auth, Kerberos /GSSAPI, OTP, etc. Most of these mechanisms need to be used over a secure channel - typically provided by SSL/TLS. Kerberos though can provide channel encryption as well as authentication.
The CRAM-MD5 method has been considered obsolete for a long time and no one should be using it. DIGEST-MD5 is also in the process of being deprecated, and not just because of the flaws in MD5 itself - the mechanism itself has a number of problems in its spec. Read more here:
http://tools.ietf.org/html/draft-ietf-sasl-digest-to-hist...
25C3: MD5 collisions crack CA certificate (heise online) Posted Jan 1, 2009 14:48 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
MD5 is known weak for some time and you are advised not to use it for future applications, design it into new standards, or commission new embedded devices that rely on it. But it's not actually completely broken, only the hardest of the guarantees wanted from a cryptographic hash function has failed.
The broken guarantee is: It's too hard for anyone to create two documents A and B such that MD5(A) = MD5(B). This statement is no longer true.
It remains true that: It's too hard for anyone to take an arbitrary document X and create a new document Y such that MD5(X) = MD5(Y).
For now MD5 is only a risk for situations where untrusted people "prove" to you that they're showing you the same thing as they showed someone else earlier by providing the MD5 of a non-trivial document -- not the word "cat" or a telephone number, something long enough you (or the computer) would not really read all of it, like a PDF document, or an SSL certificate. In this case the break in MD5 can be used to insert gibberish that you'll skip over which changes document A into document B. In this case, the bad guys apply for a certificate for foo.example, and then use the CA's MD5 signature to create an undetectable fraudulent certificate for bar.example.
25C3: MD5 collisions crack CA certificate (heise online) Posted Jan 1, 2009 15:28 UTC (Thu) by burki99 (subscriber, #17149) [Link]
Thank you very much for this illustrative comment!
And a Happy New Year to all lwn.net readers and writers. For me, this is one of the most helpful and well educated tech groups online and I really appreciate all your comments and explanations.
|
|||||||||||||