Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: Re: [ActiveDir] OT: Research proves feasibility of collision attacks against MD5
Prev Next
You are not authorized to post a reply.

AuthorMessages
beadsUser is Offline

Posts:32

12/30/2008 1:03 PM  
Interesting presentation.

Extended Validation Certs are not vulnerable though FireFox does show the
MD5 anyway. Who'd thought any good could have come from using EV Certs?

The sheer cost alone should deter most wannabe hackers from pulling this
off in a reasonable manner. Figure given was about $20,000 of Amazon EC2
time or roughly a day with a PS3 plus "computer". The processing power of
the computer wasn't specified unless I missed it.

Once the remaining CAs issue/reissue certs with SHA-1 the hack is broken.
Still there will be old certs out there that will be vulnerable for a
while but for how long? Time will tell.

The jury is still out on this one but I am seeing this as an expensive
mixed bag. Certainly not the end of the world due to the specialized
hardware and/or cost involved in completing the hack. To make this
worthwhile you'd have to go after nothing but the biggest names or be
very, very serious about stomping a competitor.









"Susan Bradley, CPA " <sbradcpa@pacbell.net>
Sent by: ActiveDir-owner@mail.activedir.org
12/30/2008 10:56 AM
Please respond to
ActiveDir@mail.activedir.org


To
activeDir@mail.activedir.org
cc

Subject
[ActiveDir] OT: Research proves feasibility of collision attacks against
MD5









http://www.win.tue.nl/hashclash/rogue-ca/

? Microsoft Security Advisory 961509? Research proves feasibility of
collision attacks against MD5 -
http://www.microsoft.com/technet/security/advisory/961509.mspx

Microsoft is aware that research was published at a security conference
proving a successful attack against X.509 digital certificates signed
using the MD5 hashing algorithm. This attack method could allow an
attacker to generate additional digital certificates with different
content that have the same digital signature as an original
certificate. The MD5 algorithm had previously shown a vulnerability,
but a practical attack had not yet been demonstrated.



This new disclosure does not increase risk to customers
significantly, as the researchers have not published the cryptographic
background to the attack, and the attack is not repeatable without this
information. Microsoft is not aware of any active attacks using this
issue and is actively working with certificate authorities to ensure
they are aware of this new research and is encouraging them to migrate
to the newer SHA-1 signing algorithm.



While this issue is not a vulnerability in a Microsoft product,
Microsoft is actively monitoring the situation and has worked with
affected Certificate Authorities to keep customers informed and to
provide customer guidance as necessary.



===================================

MITIGATING FACTORS

===================================



? Microsoft is not aware of specific attacks against MD5, so
previously issued certificates that were signed using MD5 are not
affected and do not need to be revoked. This issue only affects
certificates being signed using MD5 after the publication of the attack
method.



? Most public Certificate Authority roots no longer use MD5 to
sign certificates, but have upgraded to the more secure SHA-1
algorithm. Customers should contact their issuing Certificate Authority
for guidance.



? When visited, Web sites that use Extended Validation (EV)
certificates show a green address bar in most modern browsers. These
certificates are always signed using SHA-1 and as such are not affected
by this newly reported research.



===================================

RECOMMENDATIONS

===================================



Review Microsoft Security Advisory 961509 for an overview of the
issue, details on affected components, mitigating factors, suggested
actions, frequently asked questions (FAQ), and links to additional
resources.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Message scanned by TrendMicro



Message scanned by TrendMicro
You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > Re: [ActiveDir] OT: Research proves feasibility of collision attacks against MD5



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:MrPTSai
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5234
People OnlinePeople Online:
VisitorsVisitors:31
MembersMembers:0
TotalTotal:31
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use