Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] OT: Research proves feasibility of collision attacks against MD5
Prev Next
You are not authorized to post a reply.

AuthorMessages
sbradcpaUser is Offline

Posts:496

12/30/2008 12:02 PM  

http://www.win.tue.nl/hashclash/rogue-ca/

• Microsoft Security Advisory 961509– Research proves feasibility of
collision attacks against MD5 -
http://www.microsoft.com/technet/security/advisory/961509.mspx

Microsoft is aware that research was published at a security conference
proving a successful attack against X.509 digital certificates signed
using the MD5 hashing algorithm. This attack method could allow an
attacker to generate additional digital certificates with different
content that have the same digital signature as an original
certificate. The MD5 algorithm had previously shown a vulnerability,
but a practical attack had not yet been demonstrated.



This new disclosure does not increase risk to customers
significantly, as the researchers have not published the cryptographic
background to the attack, and the attack is not repeatable without this
information. Microsoft is not aware of any active attacks using this
issue and is actively working with certificate authorities to ensure
they are aware of this new research and is encouraging them to migrate
to the newer SHA-1 signing algorithm.



While this issue is not a vulnerability in a Microsoft product,
Microsoft is actively monitoring the situation and has worked with
affected Certificate Authorities to keep customers informed and to
provide customer guidance as necessary.



===================================

MITIGATING FACTORS

===================================



• Microsoft is not aware of specific attacks against MD5, so
previously issued certificates that were signed using MD5 are not
affected and do not need to be revoked. This issue only affects
certificates being signed using MD5 after the publication of the attack
method.



• Most public Certificate Authority roots no longer use MD5 to
sign certificates, but have upgraded to the more secure SHA-1
algorithm. Customers should contact their issuing Certificate Authority
for guidance.



• When visited, Web sites that use Extended Validation (EV)
certificates show a green address bar in most modern browsers. These
certificates are always signed using SHA-1 and as such are not affected
by this newly reported research.



===================================

RECOMMENDATIONS

===================================



Review Microsoft Security Advisory 961509 for an overview of the
issue, details on affected components, mitigating factors, suggested
actions, frequently asked questions (FAQ), and links to additional
resources.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] OT: Research proves feasibility of collision attacks against MD5



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:janders14
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:4825
People OnlinePeople Online:
VisitorsVisitors:70
MembersMembers:0
TotalTotal:70
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use