Re: MD5 Considered Harmful Today: Creating a rogue CA certificate

[Alexander Sotirov <alex () sotirov net>]

On Tue, Dec 30, 2008 at 01:18:06PM -0600, Thomas Ptacek wrote:
> So now that the details are (mostly) out, can you tell us who did
> what? Jeremy and I have think the RapidSSL serial number was you.

This project was a collaboration, so I don't want to diminish anyone's
contributions. We discussed everything among all members of the team
and we all contributed to the success of this project.

Most of the theory behind our attack was published in the "Target Collisions
for MD5 and Colliding X.509 Certificates for Different Identities" paper in
2007 by Marc Stevens, Benne de Weger and Arjen Lenstra.

David Molnar and Jake Appelbaum noticed that RapidSSL was still using MD5 in
2008 and had the idea of flipping the CA bit to get an intermediate CA cert.
Jake mentioned it to me at CanSecWest this year.

After Dan broke DNS and SSL was the only think keeping the sky from falling
completely, I decided to try to break that too. I talked to Jake and David
about the MD5 attack in July and we realized that we need chosen-prefix
collisions for it. We contacted the European researchers and they agreed to
work together with us on this project.

The RapidSSL timestamp and serial number work was indeed me (funny how some
people have such a recognizable research "signature" :-) Marc Stevens did
some very impressive work on improving the collision generation and ran the
code on Arjen's PS3 cluster.

Benne did the majority of the work on the paper and we all collaborated on the
slides and presentation. Jake did a very good job at dealing with the press,
getting us in touch with the EFF and convincing Mozilla to sign the NDA. He
and David also did the MITM demo for our talk.

I also want to thank the EFF for providing us with legal assistance and
negotiating the NDA with Microsoft and Mozilla. Jennifer Granick is
indeed awesome!

We also had assistance from lawyers from CWI, TU/e and EPFL, as well as
PR representatives from those institutions.

Microsoft helped us notify the affected CAs and served as an intermediary
between our team and the CAs. The MSRC were was generally very helpful and
provided useful information about the full impact of the attack and
possible countermeasures.

This was the most difficult project to coordinate that I've ever been involved
with, but I am personally very happy with the results.

Take care,
Alex

Attachment: _bin
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave