Dan Kaminsky
ABSTRACT
Research unveiled in December of 2008 [15] showed how MD5’s long-known flaws could be actively exploited to attack the real-worldCertification Authority infrastructure. In this paper, we demonstrate two new classes of collision, which will be somewhat trickier to address than previous attacks against X.509: the applicability of MD2 preimage attacks against the primary root certificate for Verisign, and the difficulty of validating X.509 Names contained within PKCS#10 Certificate Requests.We also draw particular attention to two possibly unrecognized vectors for implementation flaws that have been problematic in the past: the ASN.1 BER decoder required to parsePKCS#10, and the potential for SQL injection fromtext contained within its requests. Finally, we explore why the implications of these attacks are broader than some have realized — first, because Client Authentication is sometimes tied to X.509, and second, because Extended Validation certificates were only intended to stop phishing attacks from names similar to trusted brands. As per the work of Adam Barth and Collin Jackson [4], EV does not prevent an attacker who can synthesize or acquire a “low assurance” certificate for a given name from acquiring the “green bar” EV experience.
References
- Open1x IEEE 802.1x open source implementation, http://open1x.sourceforge.net/Google Scholar
- Dierks, T., Rescorla, E.: The transport layer security (tls) protocol (August 2008), http://tools.ietf.org/html/rfc5246Google Scholar
- Gutmann, P.: X.509 style guide (October 2000), http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txtGoogle Scholar
- Jackson, C., Barth, A.: Beware of finer-grained origins. In: Web 2.0 Security and Privacy, W2SP 2008 (2008)Google Scholar
- Johanson, E.: The state of homograph attacks (2005), http://www.shmoo.com/idn/homograph.txtGoogle Scholar
- Kaliski, B.: Pkcs #1: Rsa encryption (March 1998), http://tools.ietf.org/html/rfc2313 Google Scholar
- Marlinspike, M.: New tricks for defeating ssl in practice (July 2009), http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/ BlackHat-DC-09-Marlinspike-Defeating-SSL.pdfGoogle Scholar
- Marlow, S.: Happy user guide (2001), http://www.haskell.org/happy/doc/html/sec-AttributeGrammar.htmlGoogle Scholar
- Muller, F.: The md2 hash function is not one-way. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 214-229. Springer, Heidelberg (2004)Google Scholar
- neon HTTP and WebDAV client library, http://www.webdav.org/neon/Google Scholar
- Pilosov, A., Kapela, T.: Stealing the internet: An internet-scale man-in-the-middle attack. In: DEFCON, vol. 16 (August 2008)Google Scholar
- Rning, J., Laakso, M., Takanen, A., Kaksonen, R.: Protos - systematic approach to eliminate software vulnerabilities (2002)Google Scholar
- Singh, S.: Certificate trust list not being honored by iis 5.0/6.0/7.0 (December 2007), http://blogs.msdn.com/saurabh singh/archive/2007/12/07/ certificate-trust-list-not-being-honored-by-iis-5-0-6-0-7-0.aspxGoogle Scholar
- Stevens, M., Lenstra, A., Weger, B.: Chosen-prefix collisions for md5 and colliding x.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1-22. Springer, Heidelberg (2007) Google Scholar
- Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for md5 and the creation of a rogue ca certificate. In: Cryptology ePrint Archive, Report 2009/111 (2009), http://eprint.iacr.org/ Google Scholar
- Bacula the open source network backup software solution, http://www.bacula.org/en/Google Scholar
- Claws Mail: the user-friendly lightweight and fast email client, http://www.claws-mail.org/Google Scholar
- Thomsen, S.S.: An improved preimage attack on md2. In: Cryptology ePrint Archive, Report 2008/089 (2008), http://eprint.iacr.org/Google Scholar
- US-CERT. Vulnerability note vu#800113: Multiple dns implementations vulnerable to cache poisoning. US-CERT Vulnerability Notes Database (2008), http://www.kb.cert.org/vuls/id/800113Google Scholar
- Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for hash functions md4, md5, haval- 128 and ripemd. In: Cryptology ePrint Archive, Report 2004/199 (2004), http://eprint.iacr.org/Google Scholar
- GNU Wget, http://www.gnu.org/software/wget/Google Scholar
Index Terms
(auto-classified)PKI layer cake: new collision attacks against the global x.509 infrastructure
Comments