Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

A Real New Year's Hash

by Sam Curry on 1/1/2009
Topics: Authentication | E-Security | Encryption | Identity Protection

The New Year has just arrived and I'm reminded how, globally, we are all connected in ways that would have been impossible 20 years ago: it's almost hackneyed to say it again, but thanks to an amazing combination of infrastructure and technology, we can live, work and play from Mumbai to London and from Tokyo to New York City as one world in real-time. Of course, a lot of this is dependent on some of the basic building blocks we use being sound, and in the last few days one of these building blocks has come under attack: MD5 is on its last legs as a tool in the cryptographic toolbox.

I've been following the ins-and-outs of the recent, practical exploit of MD5 posted on Phreedom.org by Alexander Sotirov and some of the wake this has caused. Their claim (Alexander is one of seven researchers in the US, Switzerland and the Netherlands — and one of the other researchers, Arjen Lenstra, is a winner of the 2008 RSA Conference Award in Mathematics) is that they can create a collision attack that permits forgery of a valid certificate chain for digital certificates.

The two Root Certificate Authorities (CAs) owned and offered by RSA are based on SHA-1 and therefore are not vulnerable to this collision attack. We have not used MD5 in either of RSA's certificate authorities for over a dozen years. Read on for more details.

I've decided to write this in sections for different readers: some may want to know more about hashing, some may want to know what it means for RSA products and services and some may want the "net" or bottom line; so hopefully writing this way means you can jump to the part you care most about!

Making a Hash of IT

(Security experts may want to skip this next paragraph)

Hash algorithms (such as MD4 — now defunct — MD5 and the SHA family) allow a message to be "crunched" in such a way that it always produces a given, fixed-length output. A slight change in the original text should produce a radically different output. Given the infinite number of inputs and the finite number of outputs, there are always multiple inputs that have the same output — but hashing has always been used on the premise that finding two inputs for the same output is computationally extremely difficult (though not impossible) and impractical for building a real exploit.

As an interesting side note for trivia lovers like me, the term hash was apparently originally used by Hans Peter Luhn of IBM to mean "to chop and to mix" or "to hash."

What's the news?
The reported collision attack is effectively finding a practical pair of inputs and implementing an attack that can meaningfully exploit a cryptography-based business process (most of them!) in real-time. And here is where the work of Mr. Sotirov and company is particularly valuable: they have apparently developed a meaningful attack for exploiting the Internet public key infrastructure (PKI) that is dependent on MD5 as the hashing algorithm used to "sign" (it's not really a signature — it's much more "fingerprint-like" for integrity checking) digital certificates.

What does it mean for us all?
To begin with, this is not a cause for panic: yes, we depend on hash algorithms for the Internet "bar" to be hacked to remain high and we need trust for it to function as we want. However, I would point out that this is actually healthy behavior. Let's look at a few points...

  1. This was done in responsible conditions, apparently. (note: I haven't spoken to the Phreedom.org team at this point and haven't looked deeply at their work — I wasn't at their Dec. 30 presentation at the Chaos Communications Congress in Berlin, either). It does look like a responsible post and solid, qualified work in controlled conditions — well published and well documented.
  2. There are as yet no "in the wild" instances of this exploit that are known or documented, meaning you are safe at the moment. However, don't underestimate the speed with which the darker side of the Internet can mobilize: any independent software vendor, online retailer or service provider who is using MD5 needs to pay attention to this right now.
  3. There are other hash algorithms — of course some implementations may take time to change what they use, but now the onus is on them to do so. Move to another algorithm now (such as SHA-2 or RIPEMD-160).

RSA Products and Services
Since 1996, RSA has been advocating not using MD5 as a hash algorithm (the bulletin advocating this is here). We have not used MD5 in either of RSA's certificate authorities for over a dozen years. Both of our certificate authorities’ default hash algorithm is SHA-1. Our CA’s are named “RSA 2048” and “Valicert Public Root”. I am surprised that the researchers claim that there is an RSA-issued certificate from 2008 that used MD5 since our own internal enumeration shows otherwise. Any references to “RSA” or “RSA Data Security” in their research may very well be out of date.

As a side note, there is a theoretical weakness in SHA-1, with no real world implementation. Preemptively, we have had plans in the works to move to SHA-2 as our standard.

Hashing it all Together
So, as we bid farewell to 2008 and watch the world move ahead into 2009, we see an old tool move out of the toolbox and be replaced by new ones. It's not the end of the world, and in fact it's a most healthy sign that we test our building blocks and improve on them. So long as the processes exist to swap out defunct modules, it's arguable that this isn't only inevitable but is also desirable for building a strong Internet that is getting stronger as it adapts and evolves.

For those of you who want some fun, there is also a competition put on by NIST for a SHA-3 algorithm. It's not as much fun as the apparent 200 PS3's that are clustered what Kevin Poulsen dubbed the "PlayStation Lab" used by the researchers, but it may be more rewarding in the long term!

Comments
RSA CA using MD5

If you look in Firefox, there is an entry for RSA Data Security, Inc. which is likely a legacy from LONG ago. The full Builtin Object Token name is Verisign/RSA Secure Server CA with a DN of: OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US and a serial number of 02:AD:66:7E:4E:45:FE:5E:57:6F:3C:98:19:5E:DD:C0 . It uses MD5, and expires 1/7/2010.

- A. Nonymous
RSA issued cert signed with MD5

Hi Sam, Thanks for the great blog post, it is one of the best on the subject I've seen. I am one of the members of the research team who presented this work and I want to clarify one of the points from our presentation. One of the MD5 signed certs we found in the wild was issued by a CA with an issuer name C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority . You can see the cert if you connect to https://aumnicat.aum.edu/ This root certificate is currently listed on https://www.verisign.com/repository/root.html. The root seems to be owned and operated by Verisign, but it still has RSA Data Security in its name, hence the confusion.

- Alexander Sotirov
Response to RSA issued cert signed with MD5

I should perhaps say "thanks for the great research" in response to that!

I don't know how well you know the ancient (in Internet terms) history of RSA and of VeriSign, but we essentially have some common roots (no pun intended). The original, RSA Data Security (i.e. pre-SDI and pre-EMC acquisition) digital certificate product was in fact transferred to VeriSign many year ago, and for that reason the "RSA" in the label is actually not one of our assets and is out of our control.

Technically, that means it's not RSA - but that is confusing to people, and in this case to a large number of people who might see it and come to us for help. With that in mind, I will append to the blog a comment about this.

Thanks again for writing and for such well done, responsible work.

All the best,

- Sam
Additional Comments on "A Real New Year's Hash", by Sam Curry

This is one of those rare cases where the history of the certificate is critical.  In spite of the name of the certificate, it is actually a VeriSign certificate.  The history of VeriSign includes a transfer of the original certificate solution from RSA to VeriSign, and this legacy is the reason for an RSA Data Security (the name of the original, pre-SDI, pre-EMC, pre-RSA Security incarnation of RSA) label being outside of the RSA purview.  It should be further noted that this is found in Mozilla and Firefox. Sorry for the original exclusion since this cert is actually a bizarre case that requires an understanding of some quite ancient (in Internet terms) corporate history!

As Alex Sotirov informed me, you can find a list of VeriSign roots here, and the Tim Callan's blog at VeriSign has many useful links and information.

- Sam Curry

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication