HackFest Series: OpenSSL, MD5, CA security flaws

Lisa Kachold lisakachold at obnosis.com
Wed Jan 7 17:22:20 MST 2009 

1) OpenSSL malformed signature checking:

http://openssl.org/news/secadv_20090107.txt

This effects a great number of products and installations.

Who is affected?
=================

Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client
when connecting to a server whose certificate contains a DSA or ECDSA key.

Use of OpenSSL as an SSL/TLS client when connecting to a server whose
certificate uses an RSA key is NOT affected.

Verification of client certificates by OpenSSL servers for any key type
is NOT affected.

Recommendations for users of OpenSSL
=====================================

Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release
which contains a patch to correct this issue.

The patch used is also appended to this advisory for users or
distributions who wish to backport this patch to versions they build
from source.

Recommendations for projects using OpenSSL
===========================================

Projects and products using OpenSSL should audit any use of the
routine EVP_VerifyFinal() to ensure that the return code is being
correctly handled.  As documented, this function returns 1 for a
successful verification, 0 for failure, and -1 for an error.

General recommendations
========================

Any server that has clients using OpenSSL verifying DSA or ECDSA
certificates, regardless of the software used by the server, should
either ensure that all clients are upgraded or stop using DSA/ECDSA
certificates. Note that unless certificates are revoked (and clients
check for revocation) impersonation will still be possible until the
certificate expires.
2) MD5 Impersonation:

An MD5 flaw has been suggested theoretically in various ways, but a complete proof of concept was not completely dissected, described and announced until December 30, 2008.  I think that MD5 impersonation "discovery" is now owned by Alexander Sotirov, Mark Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger from the Netherlands, announced at Chaos on December 30, 2008 in Berlin - here's that presentation  http://www.win.tue.nl/hashclash/rogue-ca/downloads/md5-collisions-1.0.pdf

Here's the HomeLand Security Recommendations two days later:

[added Jan. 2] US-CERT, the US Department of Homeland Security's Computer Emergency Readiness Team,
        published Vulnerability Note VU#836068:
        "MD5 vulnerable to collision attacks". Interesting quotes from this note:
        "Do not use the MD5 algorithm"

            "Software developers, Certification Authorities, website owners, and users should avoid using the
            MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered
            cryptographically broken and unsuitable for further use.""Scrutinize SSL certificates signed by certificates using the MD5 algorithm"

            "Users may wish to manually analyze the properties of web site certificates (...)
            Certificates listed as md5RSA or similar are affected.
            Such certificates that include strange or suspicious fields or other anomalies may be fraudulent.
            Because there are no reliable signs of tampering it must be noted that this workaround is
            error-prone and impractical for most users."
        
Here's Microsoft's Response (touting the EV certs of course and their update process [which was only released this week] which says it's released on 12/30/0):

Do not sign digital certificates with MD5
Certificate
Authorities should no longer sign newly generated certificates using
the MD5 algorithm, as it is known to be prone to collision attacks.
Several alternative and more secure technologies are available,
including SHA-1, SHA-256, SHA-384 or SHA-512.So if you guys discover something that doesn't make sense?  Follow up on it.  Dissect it and publish it in a big way....  Many of us ignored the DNS flaws described and exploited by Kaminsky for years.  Believe me there are a great many working exploits before every published exploit. 


    

    










Yes, I was asleep working on a project....but Hans and I discussed some of the cert auth triangulation auth issues and wondered when it might be coming!


> Date: Wed, 7 Jan 2009 16:19:17 -0700
> From: PLUGd at LuftHans.com
> To: PLUG-discuss at lists.PLUG.phoenix.az.us
> Subject: OpenSSL, MD5, CA security flaws, oh my
> 
> moin moin,
> 
> Lisa has probably posted the second issue, but I'm a bit behind on the
> list. The first one appears to be from today and I don't see anything from
> her today.
> 
> http://openssl.org/news/secadv_20090107.txt
> 
> OK, so DSA and ECDSA certs in OpenSSL now are suspect, but RSA is still
> safe, except...
> 
> http://www.win.tue.nl/hashclash/rogue-ca/
> 
> Hmm, it's possible to impersonate a CA and create RSA certs that'll be
> accepted :(.
> 
> I think the 'Outline of the attack' section indicates that the original CA
> certificate is needed, so CAs moving away from MD5 can avoid the problem.
> 
> ciao,
> 
> der.hans
> -- 
> #  http://www.LuftHans.com/        http://www.LuftHans.com/Classes/
> #  Strangers are friends just waiting to happen!
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

_________________________________________________________________
Windows LiveTM Hotmail®: Chat. Store. Share. Do more with mail. 
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t1_hm_justgotbetter_howitworks_012009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090108/b8482e24/attachment.htm

More information about the PLUG-discuss mailing list