[Sysops-list] Fwd: [Full-disclosure] Creating a rogue CA certificate

Bipin Gautam bipin.gautam at gmail.com
Thu Jan 1 11:18:42 EST 2009 

An important issue, go through it!

Forwarded conversation
Subject: [Full-disclosure] Creating a rogue CA certificate
------------------------

From: *Elazar Broad* <elazar at hushmail.com>
Date: Tue, Dec 30, 2008 at 10:48 PM
To: full-disclosure at lists.grok.org.uk


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SSL/PKI is only as strong as the weakest CA...

For those of you who haven't been following this, here you go:

http://www.win.tue.nl/hashclash/rogue-ca/
http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt

Enjoy and Happy New Years!

elazar
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAklaVFQACgkQi04xwClgpZh4TQP+ODe2/jTHhOrLbKtoSJhZInX+lJXt
LMkU/xlYK1Au/f1E5KhXt43uMWYSeC/M0njQRPLyrDfihFlLsmAxGK/97kRQfxEttbcN
R0q1BL+WmbiGNglujzSWHqMSkn20r12itVfGP77nEbGYbjidV1BXxFNR2QQwLHZhGLWe
gVO/5Zg=
=+Pm+
-----END PGP SIGNATURE-----

--
Click for free info on getting an MBA, $200K/ year potential.

http://tagline.hushmail.com/fc/PnY6qxsZwUN6299xt0fJO8HvJUKovV4hcZ7MH3I6KbhlC0IDsYiG8/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----------
From: *James Matthews* <nytrokiss at gmail.com>
Date: Wed, Dec 31, 2008 at 12:47 AM
To: Elazar Broad <elazar at hushmail.com>
Cc: full-disclosure at lists.grok.org.uk


This is going to be fun for all e-commerce sites etc....
-- 
http://www.astorandblack.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----------
From: *Elazar Broad* <elazar at hushmail.com>
Date: Wed, Dec 31, 2008 at 1:20 AM
To: nytrokiss at gmail.com
Cc: full-disclosure at lists.grok.org.uk


I am waiting for RapidSSL's reaction, then again, $12 certs, you
get what you pay for...
wpwEAQECAAYFAklaeAcACgkQi04xwClgpZi8SQP+Put2ha0l10GRJEjOmUdYX/mjeHLz
GDWgy4kXp3SvxIyDr+xrDNGVYsZ8NjFGtcycbgn/a2ncWbulBzazIfJAqzyjcpx+uKRK
LK2M5tDNcFGT3jpm+bc17/98y7mz4ITgj1KUnmZt+tLOfCCbj1pFlbCN2k3EU+qg6/vH
lM4LM+w=
=xzmw
-----END PGP SIGNATURE-----

--
Free Download for Outlook Users
Faster Outlook Search. Try this Free Download

http://tagline.hushmail.com/fc/u4MuRdD6BtYsWSnscq5VAvVU82uG1NOq7MHO9miv3FQtcIDqeIWSE/

----------
From: *n3td3v* <xploitable at gmail.com>
Date: Wed, Dec 31, 2008 at 1:55 AM
To: Elazar Broad <elazar at hushmail.com>, full-disclosure at lists.grok.org.uk


Aiding script kids to get credit card numbers out of folks e-commerce
purchases. I'm sure the U.S secret service have a special interest in
this vulnerability, as so much of their time nowadays is taken up
following up on internet carders and shutting them down.

----------
From: *j-f sentier* <j.sentiar at gmail.com>
Date: Wed, Dec 31, 2008 at 2:06 AM
To: n3td3v <xploitable at gmail.com>, full-disclosure at lists.grok.org.uk


Wassup kid no one post on your brainless mailing-list, so you troll back
around here ?

2008/12/30 n3td3v <xploitable at gmail.com>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----------
From: ** <jlay at slave-tothe-box.net>
Date: Wed, Dec 31, 2008 at 2:01 AM
To: full-disclosure at lists.grok.org.uk


>From Microsoft:
http://www.microsoft.com/technet/security/advisory/961509.mspx

"Microsoft is not aware of specific attacks against MD5, so previously
issued certificates that were signed using MD5 are not affected and do not
need to be revoked. This issue only affects certificates being signed
using MD5 after the publication of the attack method."

I take it the above is incorrect?

James

----------
From: *Nelson Murilo* <nelson at pangeia.com.br>
Date: Wed, Dec 31, 2008 at 2:11 AM
To: full-disclosure at lists.grok.org.uk



Implementation could be new, but this vulnerabillity is knew since 2004,
the year that md5 was broken.

http://www.cryptography.com/cnews/hash.html

./nelson -murilo

----------
From: *Elazar Broad* <elazar at hushmail.com>
Date: Wed, Dec 31, 2008 at 2:58 AM
To: full-disclosure at lists.grok.org.uk, nelson at pangeia.com.br


And they should have listened then, it was only a matter of time
before someone fleshed out a practical attack, and that time is
now. Then again, I am sure there some ATM's out there still using
DES. How many time's do we need to prove Moore's law...
Version: Hush 3.0

wpwEAQECAAYFAklajuMACgkQi04xwClgpZjS4QP7Beyc04b+CoGgpDWS7ojdnPMdI8Ty
XhEWqZxa5mVyy+uAFIXxc5I/J1BtsZKJPhV+mlIW9zWgUJASvn0LrLKGzzt+Bhlb3rYW
pGiL8UlmBOCf99qYBRF69vevSdA3gdu/JebXIWu33nPB7qZho6SSHYCwF7u5TJILgtI3
aiL33GQ=
=C7PQ
-----END PGP SIGNATURE-----

--
Click to become a master chef, own a restaurant and make millions.

http://tagline.hushmail.com/fc/PnY6qxtWo9fln3EqgOtev3Xt2UqYrdnKRqkHGIlsPHfICpCCcCO6k/

----------
From: *Ureleet* <ureleet at gmail.com>
Date: Wed, Dec 31, 2008 at 4:01 AM
To: j-f sentier <j.sentiar at gmail.com>
Cc: full-disclosure at lists.grok.org.uk


exactly.

----------
From: *Ureleet* <ureleet at gmail.com>
Date: Wed, Dec 31, 2008 at 4:01 AM
To: n3td3v <xploitable at gmail.com>
Cc: full-disclosure at lists.grok.org.uk


u know nothing of which you speak.  stop now be4 u make a bigger ass of
urself.

----------
From: ** <Valdis.Kletnieks at vt.edu>
Date: Wed, Dec 31, 2008 at 4:14 AM
To: full-disclosure at lists.grok.org.uk


Dear Idiot:

This is hardly an attack that the average script kiddie can pull off.

The *real* danger here is the fact that groups like RBN are *not* kiddies.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----------
From: ** <Valdis.Kletnieks at vt.edu>
Date: Wed, Dec 31, 2008 at 3:27 AM
To: Elazar Broad <elazar at hushmail.com>
Cc: full-disclosure at lists.grok.org.uk


Playing devil's advocate for a moment...

And perhaps they *were* listening, but realized that security is about
tradeoffs, and they balanced the cost of doing the upgrade back then
against the chances that a team as technically and budget-wise prepared
as this one, *and with nefarious intent*, would do something significantly
drastic enough to dent their revenue stream.

Read section 5.2 of the hashclash/rogue-ca paper.  The victim CA is churning
out an average of 1,000 certs in 3 days, let's say at $12 per. That's some
$600K per year for just the weekends, not counting the Mon-Thurs span which
is probably even higher (and why they targeted a weekend).  So $2M per year
or more.

Who wants to place a bet that said CA will be selling *the same number*
of certs every week, meaning they had *no* economic loss due to this hack,
because their customers won't actually *see* the news article and give them
a bad feeling about their CA?  And with no actual loss, why spend the money
to implement the change?

Hint: It *isn't* just a matter of changing one line in a script to say
'sha1' instead of 'md5' - you *also* need to go back and look at all the
certs you've issued already and figure out if they've been tweaked...


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----------
From: *don bailey* <don.bailey at gmail.com>
Date: Wed, Dec 31, 2008 at 4:26 AM
To: full-disclosure at lists.grok.org.uk


> Dear Idiot:
>

I don't appreciate you using this kind of language against
someone on this list, even if it is aimed at "netdev". The
fact that you've chosen this kind of petty and derogatory
tactic exposes your true character.

I've lost a lot of respect for you today, Mr. Valdis
Kletnieks.

D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAklao60ACgkQttfe3HwtctMkaACfbQ4N0WLmvkg1nefQvO4R6ZtM
y+AAn30kKtR++IlyDcXHHwFsXv5PaZU/
=m+5e
-----END PGP SIGNATURE-----

----------
From: *n3td3v* <xploitable at gmail.com>
Date: Wed, Dec 31, 2008 at 4:27 AM
To: Valdis.Kletnieks at vt.edu, full-disclosure at lists.grok.org.uk


Until HD Moore releases an attack module for it.

----------
From: *chort* <chort0 at gmail.com>
Date: Wed, Dec 31, 2008 at 5:14 AM
To: n3td3v <xploitable at gmail.com>
Cc: full-disclosure at lists.grok.org.uk, Valdis.Kletnieks at vt.edu


Since you're so certain this is possible, could you kindly summarize
(at a high level, no need for detail) how this could be accomplished?

Now that you're unable to do so, I will explain why:  Because you
don't have a clue how PKI works, much less how it's possible to
exploit it, which is really tragic considering there are plenty of
pretty graphs and dumbed-down explanations out there now that even a
drop-out should be able to comprehend.

Assuming source code, or even full attack details, are published any
time soon, will HD Moore also be sending out free super-computing
clusters to find the MD5 collisions?  Well he be sending free money to
buy the certificates required to accurately predict the serial number
to generate?  This isn't some SQL injection or remote buffer overflow,
there are a lot of manual steps involved that cannot simply be plugged
into a generic attack platform.

You're an ignorant fool.  You should ask questions to learn how things
work before you spout opinions.  Statements are only thought-provoking
if they're made based on comprehension of the subject matter.  The
only thing you have full comprehension of is how to hit Send, and
that's quite unfortunate.


--
chort

----------
From: ** <Valdis.Kletnieks at vt.edu>
Date: Wed, Dec 31, 2008 at 5:47 AM
To: full-disclosure at lists.grok.org.uk


http://www.win.tue.nl/hashclash/rogue-ca/ had reasonably complete details,
at least enough to make obviously clear that this is one attack that will
*not* make it into metsploit (which makes it pretty obvious that n3td3v did
not in fact read and comprehend that URL before commenting).

About the only part that isn't spelled out is in section 5.3.4:

"However, some crucial improvements to this method have been developed that
made the present application possible. Details of those improvements will be
published in a forthcoming academic paper."

And if you don't have a room full of PS3s, the FAQ at the bottom helpfully
tells you that the attack needed the equivalent of 32 CPU-years inside a
3-day
window, which tells you a 4,000 node botnet could probably work (again,
outside
the feature list for metasploit).  Presumably, a larger botnet would allow
a BFI attack that lacked the "crucial improvements".


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----------
From: *chort* <chort0 at gmail.com>
Date: Wed, Dec 31, 2008 at 6:04 AM
To: Valdis.Kletnieks at vt.edu
Cc: full-disclosure at lists.grok.org.uk


The viability of that approach depends on how much the code depends on
the systems being clustered together over low-latency interconnects.
4000 machines spread all across the internet separated by 300ms of
latency is not the same thing as 4000 machines in the same room
running a cluster OS.

Yes, given enough machines you could do the computations even with
each system acting fairly autonomously, but it could require a
drastically different approach.  As a disclaimer, I do not know the
details of how the PlayStation Lab was utilized for this particular
task, so they may well have been used as discrete units.

----------
From: ** <Valdis.Kletnieks at vt.edu>
Date: Wed, Dec 31, 2008 at 6:12 AM
To: chort <chort0 at gmail.com>
Cc: full-disclosure at lists.grok.org.uk


They give a hint that it's *highly* parallel code:

"This part is not suited for the PS3s SPU cores due to the large memory
demands
and the high number of branches in the software execution flow."

Presumably, if the hit that a lot of branches create is bad, the *huge*
hit of even an Infiniband interconnect would be fatal...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----------
From: *chort* <chort0 at gmail.com>
Date: Wed, Dec 31, 2008 at 6:34 AM
To: Valdis.Kletnieks at vt.edu
Cc: full-disclosure at lists.grok.org.uk


Ah, you're nit-picking on the fact that I mistakenly mentioned the
actual collision rather than the birthday attack, so yes my bad for
being careless with my terminology.

The more time-consuming part of the computation was the birthday
attack, which is what the PS3s _are_ good at.  You're right that the
collision blocks worked better on machines with more RAM and
instruction sets/pipelines designed for more branching.

In any case, we don't disagree that it's possible to conduct the
attack with a moderate-sized botnet.  We also agree that nutd0rk has
no idea what he's talking about (not that he ever does), so this
discussion seems to be heading no where.

----------
From: *Ureleet* <ureleet at gmail.com>
Date: Wed, Dec 31, 2008 at 8:08 PM
To: n3td3v <xploitable at gmail.com>
Cc: full-disclosure at lists.grok.org.uk, Valdis.Kletnieks at vt.edu


ROFL. wow.  with a single statement u proved how woefully unaware u r
of security.

point proved.

----------
From: *Elazar Broad* <elazar at hushmail.com>
Date: Wed, Dec 31, 2008 at 11:42 PM
To: valdis.kletnieks at vt.edu
Cc: full-disclosure at lists.grok.org.uk


That's true, keeping up with security is not cheap nor easy.
Tradeoff's are tradeoff's, the question is, when it comes down to
the $$$, is more cost effective to be proactive vs reactive in this
case. Time will tell...
wpwEAQECAAYFAklbsqAACgkQi04xwClgpZh3FQQAgHyAry+xv7AOcUWHLNrGsUqmT9XP
BWa4ahzXUE9JTe8FT37fvNhv5ZwouHVYVZPZViwXcu0Kv2SHUSlfp5XGzObx6nDoO6X6
ObF8iBEPORsEkc9kzZDyOylswHRQrNI6c21t9GsntW0Nr8258ttY4xbhKmF0a+TkOWhX
/KBLZ4s=
=dMtL
-----END PGP SIGNATURE-----

--
Go to massage therapy school and make up to $150/hour, click now!

http://tagline.hushmail.com/fc/PnY6qxsbdbDEzAmhq24lIfo9SlWI9FpadA4MjMGNNyIfje7zdJ85y/

----------
From: *Elazar Broad* <elazar at hushmail.com>
Date: Wed, Dec 31, 2008 at 11:53 PM
To: valdis.kletnieks at vt.edu
Cc: full-disclosure at lists.grok.org.uk


<snip>
is more cost effective
</snip>

should have been is *it
wpwEAQECAAYFAklbtS0ACgkQi04xwClgpZjT2QP/bIcnzHFZ35GMhXf1W+nptPJWHQ3W
zGejCeCWAKMGpPSy/aPP3AkMDgxxJNBduPyelS35gfYvu0oiBSbThQ0fOYMHUngJhuex
sydNqPhxYhKTfMEcOQLLU1x51Qr73wHyLHIlOcQh6fd0ZceTmOdd3ml9qp59Sq1JXTxr
Qo8J9Hg=
=Xxk2
-----END PGP SIGNATURE-----

--
Lower rates for Veterans. Click for VA loan information.

http://tagline.hushmail.com/fc/PnY6qxtVmScGZLWiBqwqAGkauzQUd9lMK0RPfsKCNYRb5o8OmdO9i/

----------
From: ** <Valdis.Kletnieks at vt.edu>
Date: Thu, Jan 1, 2009 at 12:01 AM
To: Elazar Broad <elazar at hushmail.com>
Cc: full-disclosure at lists.grok.org.uk


Meanwhile, doing nothing is *always* cheap and easy, especially when it's
very unlikely that *you* will end up paying the price...
The important point here is that the cost of the vulnerability is what
economists call an externality - the CA who issued the cert that got
abused isn't the one who ends up with the headache.  If Certs-R-Us gives
BadGuy Inc a jiggered cert, and BadGuy Inc uses that to make a fake
Widgets-Today.com site and Joe Sixpack gets suckered, then Joe Sixpack
has a problem, Widgest-Today may have a problem - and neither victim is
very likely to blame Certs-R-Us - after all, Widgets-Today got *their*
cert from somebody else.  Certs-R-Us doesn't have a problem unless they
end up on CNN - otherwise *their* potential customers won't know there's
an issue.

On the other hand, if Microsoft and Mozilla issue updates that make their
browsers reject out-of-hand any cert with an MD5, *that* will make
Certs-R-Us
sit up and pay attention *immediately*, because "I bought a cert from you
and the frikking thing doesn't work" *does* impact their bottom line.

I predict that if Microsoft and Mozilla do this, there will be a lot of
ambulance-chasing, as opportunists spider the web looking for OpenSSL
connections that present a cert with MD5, and spam the site with "We have
sooper-cheap non-MD5 certs!" ads...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----------
From: *fd throwaway* <fd.throwaway at gmail.com>
Date: Wed, Dec 31, 2008 at 6:26 PM
To: full-disclosure at lists.grok.org.uk


> -----Original Message-----

> From: full-disclosure-bounces at lists.grok.org.uk

> [
*mailto:full-disclosure-bounces at lists.grok.org.uk*<full-disclosure-bounces at lists.grok.org.uk>]
On Behalf

> Of jlay at slave-tothe-box.net

> Sent: Tuesday, December 30, 2008 3:17 PM

> To: full-disclosure at lists.grok.org.uk

> Subject: Re: [Full-disclosure] Creating a rogue CA certificate

> > SSL/PKI is only as strong as the weakest CA...
*http://www.win.tue.nl/hashclash/rogue-ca/*<http://www.win.tue.nl/hashclash/rogue-ca/>

> >
*http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt*<http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt>

> > -----BEGIN PGP SIGNATURE-----

> >

> > wpwEAQECAAYFAklaVFQACgkQi04xwClgpZh4TQP+ODe2/jTHhOrLbKtoSJhZInX+lJXt
*http://tagline.hushmail.com/fc/PnY6qxsZwUN6299xt0fJO8HvJUKovV4hcZ7MH3I*<http://tagline.hushmail.com/fc/PnY6qxsZwUN6299xt0fJO8HvJUKovV4hcZ7MH3I>

> > 6KbhlC0IDsYiG8/

> >

> >

>

> >From Microsoft:

>

> Full-Disclosure - We believe in it.

> Charter:
>


No it is correct because the attack creates a new CA from the compromised
cert which is then used to sign certs, it doesn't involve copying the
signatures of certs that already have been signed by legit CAs with the
exception of the one that is used to create the rogue CA

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----------
From: *Steve Clement* <steve at localhost.lu>
Date: Thu, Jan 1, 2009 at 5:11 PM
To: n3td3v <xploitable at gmail.com>
Cc: "full-disclosure at lists.grok.org.uk" <full-disclosure at lists.grok.org.uk>,
"Valdis.Kletnieks at vt.edu" <Valdis.Kletnieks at vt.edu>


I saw the actual talk about it, i advise everyone to take look at it
before waiting for an "attack module" as you would still need, as they
did, 200 PS3's.

Events.ccc.de tells you more and i Am astpnished by the fact that the
so-called 'researchers' on this list don't actually research the
subjects they post about.

Kudos again to the rogue CA team it must have been a burden.

Cheers,

Steve Clement
--
Agglomera
12, rue Jean Engling
Apartement 14A&B
L-1644 Luxembourg
Tel: +352 20 333 66
Fax: +352 20 333 66 9
http://www.agglomera.biz

More information about the Sysops-list mailing list