[LINK] PKI Security

stephen at melbpc.org.au stephen at melbpc.org.au
Wed Dec 31 23:57:58 AEDT 2008 

As usual, the annual Chaos Communication Congress appears to have thrown
up another security issue.   See:  <www.win.tue.nl/hashclash/rogue-ca/>


"Summary: We have identified a vulnerability in the Internet Public Key 
Infrastructure (PKI) used to issue digital certificates for websites. 

As a proof of concept we executed a practical attack scenario and 
successfully created a rogue Certification Authority (CA) certificate 
trusted by all common web browsers. 

This certificate allows us to impersonate any website on the Internet, 
including banking and e-commerce sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic hash 
function that allows the construction of different messages with the same 
MD5 hash. This is known as an MD5 "collision" .. Our current work proves 
that at least one attack scenario can be exploited in practice, thus 
exposing the security infrastructure of the web to realistic threats.

As a result of this successfull attack, we are currently in possession of 
a rogue Certification Authority certificate. This certificate will be 
accepted as valid and trusted by all common browsers, because it appears 
to be signed by a root CAs that browsers trust by default .." (end quote)


And, here is today's New York Times perspective on the above research:

"Outdated Security Threatens Web Commerce" By John Markoff www.nytimes.com

A team of United States and European computer security researchers have 
used a cluster of several hundred Sony PlayStation 3 video-game machines 
to exploit a basic weakness in the software system used to protect 
commercial transactions made via the Internet.

The attack is possible because a handful of commercial organizations that 
provide components of the basic security infrastructure of the Internet 
are using an older security technology — despite years of warnings that 
it is now potentially obsolete. 

The flaw would make it possible for a criminal to redirect a Web surfer 
to a fake bank or online merchant without being detected by the security 
mechanism embedded in today’s Web browsers. It could also be used to 
subvert e-mail communications and other applications that use 
cryptographic software for authentication and security.

The demonstration underscores that the commercial infrastructure of the 
Internet, as well as its privacy and security, are based on an advanced 
branch of mathematics that in the future may become vulnerable to more 
powerful computing systems and more clever attackers.

Today’s browsers display a tiny image of a padlock when a user has a 
secure connection to a Web site. This is intended to provide evidence 
that the Web site is legitimate, as the browser and the site exchange 
digital certificates provided by a certificate authority — a trusted 
third party.

Researchers have proved they can create fake certificates that will be 
accepted by the security system. 

Although most certificate authorities have shifted to a more modern 
digital fingerprinting algorithm known as SHA-1, a small number have not.

The digital certificate system is designed in such a way that if a single 
certificate authority can be compromised, it is possible for an attacker 
to mass-produce forged certificates that undermine the “web of trust” the 
entire system is based on. It relies on public key cryptography, a system 
in which each user creates a public and private key — long numbers — to 
help mathematically prove their identity & encrypt & decrypt information.

The results of the research were announced Tuesday afternoon in a paper 
the researchers presented at a technical conference in Berlin. 

The flaw is contained in an algorithm known as MD5, which is widely used 
to produce unique digital fingerprints. The weakness had first been 
discovered in by a group of Chinese researchers, but at the time, it 
still required vast amounts of computing to produce a forged certificate. 

But the group of independent cryptographers and mathematicians, based in 
California, the Centrum Voor Wiskunde en Informatica and Eindhoven 
University of Technology in the Netherlands and the École Polytechnique 
Fédérale de Lausanne in Switzerland, were able to create a “collision” — 
generating two different messages sharing an identical signature — in 
just three days of computing. The researchers estimated that it would 
take a typical desktop machine about 32 years to perform the same 
calculations.

The researchers said that by creating a fake certificate, they had 
demonstrated that a critical part of the Internet security infrastructure 
is not safe.

Computer security specialists were divided on the significance of the 
exploit.

“This is good research,” said Bruce Schneier, chief security technology 
officer for British Telecom. “But in the scheme of things, how many 
people do we know who rely on these certificates for anything? When was 
the last time you checked your browser certificates to make sure they’re 
good?”

Others said that the researchers had done a valuable service by exposing 
lax practices in the industry.

“It’s shocking that a commercial certificate authority is still using 
only MD5,” said Paul Kocher, president and chief scientist of 
Cryptography Inc., a San Francisco-based computer security firm. 

“It impacts 99 percent of the browser infrastructure and it goes beyond 
Web browsers,” said Jacob Appelbaum, an independent computer security 
researcher based in San Francisco. Also potentially affected are e-mail 
and chat servers and online collaboration systems... (end quote)


And, here's six public comments re the above article on the NYTimes site:


1. December 30, 2008 1:12 pm

Networking4all created a tool to check if a certificate in the chain has 
been signed with a insecure algorithm

Example:
https://www.networking4all.com/en/support/tools/site+check/?
fqdn=www.verisign.com

You can check all sites on:
https://www.networking4all.com/en/support/tools/site+check/

— Networking4all
 

2. December 30, 2008 2:22 pm
 
Shop at well-known on-line stores, check the URL displayed in the address 
window (especially if redirected anywhere), and you have a 99.999% chance 
of being perfectly safe.

These “boogie-man” kind of stories provide jobs for security consultants 
and little other benefit.

— Steverino

 
3. December 30, 2008 5:38 pm
 
I strenuously disagree with Steverino @2:22pm. Suppose you were in a cafe 
using the provided Wi-Fi network. You cannot trust the DNS results and 
therefore cannot trust the address in the address bar (unless you are 
using IPSec and DNSSEC together, which is an extremely difficult thing to 
do for most users). With today’s revelation, an attacker could return a 
bad address for amazon.com, and use a fake certificate that your browser 
nevertheless accepts, and you will be none the wiser. You will happily 
type in your credit card number because the address bar says “amazon.com” 
and the little padlock is highlighted. This is a serious vulnerability 
that is very easily exploited.

— Jeffrey W. Baker
 

4. December 30, 2008 5:58 pm
 
Not really, especially as its entirely possible to trick a computer into 
going to a site that looks completely authentic. If hackers a few years 
ago could convince multiple CEO’s that the hackers were actually 
prosecutors bringing charges against them, exactly how difficult is it to 
convince a computer its on the Microsoft homepage?

— JWM

 
5. December 30, 2008 7:23 pm
 
FYI, VeriSign closed this security hole about five hours after learning 
about it: https://blogs.verisign.com/ssl-
blog/2008/12/on_md5_vulnerabilities_and_mit.php

— Tim Callan
 

6. December 30, 2008 7:51 pm
 
 It is a significant risk regardless of the percentages. If 99.9999 % of 
activities are secure, then one in 1,0000,000 is not. It only takes one 
insecure transaction to clean out a large account.

— George McIlvaine
--

HNYear Linkers
Stephen Loosley
Victoria Australia

More information about the Link mailing list