Presentation is loading. Please wait.

Presentation is loading. Please wait.

MD5 Considered Harmful Today Creating a rogue CA certificate Alexander Sotirov Marc Stevens Jacob Appelbaum Arjen Lenstra David Molnar Dag Arne Osvik Benne.

Published byMoses Whitaker Modified over 9 years ago

Similar presentations

Presentation on theme: "MD5 Considered Harmful Today Creating a rogue CA certificate Alexander Sotirov Marc Stevens Jacob Appelbaum Arjen Lenstra David Molnar Dag Arne Osvik Benne."— Presentation transcript:

1 MD5 Considered Harmful Today Creating a rogue CA certificate Alexander Sotirov Marc Stevens Jacob Appelbaum Arjen Lenstra David Molnar Dag Arne Osvik Benne de Weger New York, USA CWI, Netherlands Noisebridge/Tor, SF EPFL, Switzerland UC Berkeley, USA EPFL, Switzerland TU/e, Netherlands

2 Introduction International team of researchers ○ working on chosen-prefix collisions for MD5 MD5 is still used by real CAs to sign SSL certificates today ○ MD5 has been broken since 2004 ○ theoretical CA attack published in 2007 We used a MD5 collision to create a rogue Certification Authority ○ trusted by all major browsers ○ allows man-in-the-middle attacks on SSL

3 Overview of the talk Public Key Infrastructure MD5 chosen-prefix collisions Generating colliding certificates ○ on a cluster of 200 PlayStation 3’s Impact Countermeasures Conclusion

4 Live demo 1. Set your system date to August 2004 ○ intentional crippling of our demo CA ○ not a technical limit of the method itself 2. Connect to our wireless network ○ ESSID “MD5 Collisions Inc” 3. Connect to any secure HTTPS website ○ MITM attack ○ check the SSL certificate!

5 Public Key Infrastructure Part I

6 Overview of SSL Wide deployment ○ web servers ○ email servers (POP3, IMAP) ○ many other services (IRC, SSL VPN, etc) Very good at preventing eavesdropping ○ asymmetric key exchange (RSA) ○ symmetric crypto for data encryption Man-in-the-middle attacks ○ prevented by establishing a chain of trust from the website digital certificate to a trusted Certificate Authority

7 Certification Authorities (CAs) Website digital certificates must be signed by a trusted Certificate Authority Browsers ship with a list of trusted CAs ○ Firefox 3 includes 135 trusted CA certs CAs’ responsibilities: ○ verify the identity of the requestor ○ verify domain ownership for SSL certs ○ revoke bad certificates

8 Certificate hierarchy

9 Obtaining certificates 1. User generates private key 2. User creates a Certificate Signing Request (CSR) containing –user identity –domain name –public key 3. CA processes the CSR –validates user identity –validates domain ownership –signs and returns the certificate 4. User installs private key and certificate on a web server

10 MD5 Collisions Part II

11 Overview of MD5 Hash function MD5 designed in 1991: Iterative design using compression function Collisions = different messages, same hash M1M1 M2M2 M3M3 M4M4 IHV 0 Com- press IHV 4

12 MD5 Collisions in 2004 2004: First MD5 collision attack Only difference between messages in random looking 128 collision bytes Currently < 1 second on PC MD5() = MD5()

13 MD5 Collisions in 2004 Attack scenarios Generate specific collision blocks Use document format IF…THEN…ELSE Both payloads present in both files Colliding PostScript files with different contents Similar examples with other formats: DOC, PDF Colliding executables with different execution flows

14 MD5 Collisions in 2007 2007: Stronger collision attack Chosen-Prefix Collisions Messages can differ freely up to the random looking 716 collision bytes Currently approx. 1 day on PS3+PC MD5() = MD5()

15 MD5 Collisions in 2007 Second generation attack scenarios Using chosen-prefix collisions No IF…THEN…ELSE necessary ○ Each file contains single payload instead of both ○ Collision blocks not actively used in format Colliding executables ○ Malicious payload cannot be scanned in harmless executable Colliding documents (PDF, DOC, …) ○ Collision blocks put inside hidden raw image data

16 Generating Colliding Certificates Part III

17 History of colliding certificates Certificates with colliding to-be-signed parts generate a pair of certificates sign the legitimate certificate copy the signature into the rogue cert Previous work Different RSA public keys in 2005 ○ using 2004 collision attack Different identities in 2006 ○ using chosen-prefix collisions ○ the theory is well known since 2007

18 Colliding certificates in 2006 serial number validity period real cert domain name real cert RSA key X.509 extensions signature identical bytes (copied from real cert) collision bits (computed) chosen prefix (difference) serial number validity period rogue cert domain name real cert RSA key X.509 extensions signature set by the CA

19 Vulnerable CAs in 2008 We collected 30,000 website certificates ○ 9,000 of them were signed with MD5 ○ 97% of those were issued by RapidSSL CAs still using MD5 in 2008: ○ RapidSSL ○ FreeSSL ○ TrustCenter ○ RSA Data Security ○ Thawte ○ verisign.co.jp

20 Predicting the validity period RapidSSL uses a fully automated system The certificate is issued exactly 6 seconds after we click the button and expires in one year.

21 Predicting the serial number RapidSSL uses sequential serial numbers: Nov 3 07:42:02 2008 GMT 643004 Nov 3 07:43:02 2008 GMT 643005 Nov 3 07:44:08 2008 GMT 643006 Nov 3 07:45:02 2008 GMT 643007 Nov 3 07:46:02 2008 GMT 643008 Nov 3 07:47:03 2008 GMT 643009 Nov 3 07:48:02 2008 GMT 643010 Nov 3 07:49:02 2008 GMT 643011 Nov 3 07:50:02 2008 GMT 643012 Nov 3 07:51:12 2008 GMT 643013 Nov 3 07:51:29 2008 GMT 643014 Nov 3 07:52:02 2008 GMT ?

22 Predicting the serial number Remote counter ○ increases only when people buy certs ○ we can do a query-and-increment operation at a cost of buying one certificate Cost ○ $69 for a new certificate ○ renewals are only $45 ○ up to 20 free reissues of a certificate ○ $2.25/query-and-increment operation

23 Certificates issued per weekend

24 Predicting the serial number 1. Get the serial number S on Friday 2. Predict the value for time T on Sunday to be S+1000 3. Generate the collision bits 4. Shortly before time T buy enough certs to increment the counter to S+999 5. Send colliding request at time T and get serial number S+1000

25 Collision generation Based on the 2007 chosen-prefix collisions paper with new improvements 1-2 days on a cluster of 200 PlayStation 3’s Equivalent to 8000 desktop CPU cores or $20,000 on Amazon EC2

26 Creating an intermediate CA serial number validity period real cert domain name real cert RSA key X.509 extensions signature rogue CA cert rogue CA RSA key rogue CA X.509 extensions Netscape Comment Extension (contents ignored by browsers) signature identical bytes (copied from real cert) collision bits (computed) chosen prefix (difference) CA bit!

27 Real life execution of the attack 3 failed attempts ○ problems with timing ○ other CA requests stealing our serial number Finally success on the 4 th attempt! Total cost of certificates: USD $657

28 Impact Part IV

29 Man-In-The-Middle We can sign fully trusted certificates Perfect man-in-the-middle attacks A malicious attacker can pick a more realistic CA name and fool even experts

30 Connection hijacking MITM requires connection hijacking: Insecure wireless networks ARP spoofing Proxy autodiscovery DNS spoofing Owning routers

31 Countermeasures Part V

32 Preventing harm from our cert We’re not releasing the private key Our CA cert was backdated to Aug 2004 ○ just for demo purposes, a real malicious attacker can get a cert that never expires Browser vendors can blacklist our cert ○ we notified them in advance Users might be able to blacklist our cert

33 Revocation issues Our CA cert is not easily revocable! CRL and OCSP get the revocation URL from the cert itself Our cert contains no such URL Revocation checking is disabled in Firefox 2 and IE6 anyways Possible fixes: Large organizations can set up their own custom OCSP server and force OCSP revocation checking.

34 EV certs Extended Validation (EV) certs: supported by all major browsers EV CAs are not allowed to use MD5 safe against this attack Do users really know how to tell the difference between EV and regular certs?

35 Repeating the attack With optimizations the attack might be done for $2000 on Amazon EC2 in 1 day We want to prevent malicious entities from repeating the attack: We are not releasing our collision finding implementation or improved methods until we feel it’s safe We’ve talked to the affected CAs: they will switch to SHA-1 very, very soon

36 Has this already been done? No way to tell. The theory has been public since 2007 Our legitimate certificate is completely innocuous, the collision bits are hidden in the RSA key, but they look random Can we still trust CA certs that have been used to sign anything with MD5 in the last few years?

37 Lessons for the future We need defense in depth ○ random serial numbers ○ random delay when signing certs Future challenges: ○ second preimage against MD5 ○ collisions in SHA-1 Dropping support for a broken crypto primitive is very hard in practice ○ but crypto can be broken overnight ○ what do we do if SHA-1 or RSA falls tomorrow?

38 Conclusion Part VI

39 Conclusion No need to panic, the Internet is not completely broken The affected CAs are switching to SHA-1 Making the theoretical possible is sometimes the only way you can affect change and secure the Internet

40 Acknowledgements The Electronic Frontier Foundation Jennifer Granick, Joseph Gratz Our lawyers from CWI, TU/e and EPFL and all other lawyers we’ve forgotten Dan Kaminsky for his SSL cert collection Ralf-Philipp Weinmann for his inspiration Len Sassaman, Meredith Patterson Microsoft Mozilla

Download ppt "MD5 Considered Harmful Today Creating a rogue CA certificate Alexander Sotirov Marc Stevens Jacob Appelbaum Arjen Lenstra David Molnar Dag Arne Osvik Benne."

Similar presentations

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.

HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Public Key Infrastructure Alex Bardas. What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of,

Public Key Infrastructure Alex Bardas. What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of,
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
“Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.

“Defeating SSL” Impact of Hash collisions on cyber security By vaibhav.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Similar presentations

Ads by Google