A hole in the PKI has highlighted the importance of underpinning trust with sure technical implementation.
Just in time for the New Year's Eve parties, a group of crypto researchers has revealed a hole in the internet's public key infrastructure, the mysterious process underlying the ubiquitous ‘padlock' icon protection of SSL. Even the most technically naive internet user knows they should check there's a padlock before adding sensitive information.
In reality, protection of data – such as credit card details in transit – is only one part of a complex chain of security needed to keep the Bad Guys at bay.
However, one thing that has, until now, been fairly reliable is trusting the browser's commonsense when establishing a secure connection. The certificate scheme used is one of the internet's relative success stories, working quietly in the background and, in the main, not causing any problems.
It has not been perfect, though. Last May, the infamous Debian OpenSSL debacle resulted in a significant number of easily subverted website certificates.
The latest attack is far more serious. The internet PKI scheme relies on a relatively small number of trusted certification authorities (CAs), which are pre-loaded into users' browsers, allowing access to most SSL-protected sites without additional user intervention, such as manually loading certificates.
The latest attack shows that it is possible to get a certificate signed by a real CA, then surgically replace the contents while maintaining the signature's validity. This means the attacker can impersonate any “secure” website – and the end user, unless they're particularly paranoid, will not notice (currently only Firefox users with the SSLBlacklist plug-in will get a warning, others will need to manually examine the certificate).
The basic idea is quite simple. The attack takes advantage of weaknesses found in the MD5 digest algorithm. One of the cardinal rules of digest algorithms is that for a given message and its digest, it should be practically impossible to generate another message that matches the same digest.
If this assumption doesn't hold, it is possible to take the signature from one message and stick it on the end of your own message, giving it an ill-deserved air of respectability. Such “collisions” – two messages that generate the same digest – are something digest algorithms are specifically designed to avoid.
Collision weaknesses in MD5 first started to show around five years ago, and at the time the more paranoid of the crypto community were recommending ditching MD5 before things got too bad. Well, things just got that bad: several of the major CAs are (or were in late December 2008) still issuing certificates that used MD5 signatures.
Enter a group of very talented researchers, and a collection of 200 PlayStation 3 machines to do the brute force work. The end result is a “rogue” CA certificate that will be accepted without complaint by most internet browsers (for ethical reasons, the researchers made their certificate with an expiry date of 2004, preventing its abuse by less well-mannered people). The full details, in an extremely well produced paper, are at http://www.win.tue.nl/hashclash/rogue-ca/
The implementation is quite interesting, as it uses an often-ignored “Netscape comment” field in the certificate structure to insert the padding necessary to get the signature collision. Strict conformance to the standards would flag this as an error, but in practice most software simply ignores the field, so it slips through.
Fortunately, the offending CAs, who were issuing MD5-signed certificates, have reacted promptly and are now only using more robust digest algorithms. Once bitten, it is to be hoped they will react more promptly should holes appear in the current crop of “secure” digest algorithms.
All PKI systems involve a chain of trust, but there's an implied and often overlooked link in this chain: the technical implementation of the PKI scheme must be done securely. This attack is a timely reminder that just because crypto people sound paranoid, it doesn't mean they're not right.