Dailydave mailing list archives
Re: MD5 Considered Harmful Today: Creating a rogue CA certificate
From: Alexander Sotirov <alex () sotirov net>
Date: Wed, 31 Dec 2008 15:17:02 -0500
On Tue, Dec 30, 2008 at 01:18:06PM -0600, Thomas Ptacek wrote:
So now that the details are (mostly) out, can you tell us who did what? Jeremy and I have think the RapidSSL serial number was you.
This project was a collaboration, so I don't want to diminish anyone's contributions. We discussed everything among all members of the team and we all contributed to the success of this project. Most of the theory behind our attack was published in the "Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities" paper in 2007 by Marc Stevens, Benne de Weger and Arjen Lenstra. David Molnar and Jake Appelbaum noticed that RapidSSL was still using MD5 in 2008 and had the idea of flipping the CA bit to get an intermediate CA cert. Jake mentioned it to me at CanSecWest this year. After Dan broke DNS and SSL was the only think keeping the sky from falling completely, I decided to try to break that too. I talked to Jake and David about the MD5 attack in July and we realized that we need chosen-prefix collisions for it. We contacted the European researchers and they agreed to work together with us on this project. The RapidSSL timestamp and serial number work was indeed me (funny how some people have such a recognizable research "signature" :-) Marc Stevens did some very impressive work on improving the collision generation and ran the code on Arjen's PS3 cluster. Benne did the majority of the work on the paper and we all collaborated on the slides and presentation. Jake did a very good job at dealing with the press, getting us in touch with the EFF and convincing Mozilla to sign the NDA. He and David also did the MITM demo for our talk. I also want to thank the EFF for providing us with legal assistance and negotiating the NDA with Microsoft and Mozilla. Jennifer Granick is indeed awesome! We also had assistance from lawyers from CWI, TU/e and EPFL, as well as PR representatives from those institutions. Microsoft helped us notify the affected CAs and served as an intermediary between our team and the CAs. The MSRC were was generally very helpful and provided useful information about the full impact of the attack and possible countermeasures. This was the most difficult project to coordinate that I've ever been involved with, but I am personally very happy with the results. Take care, Alex
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: MD5 Considered Harmful Today: Creating a rogue CA certificate Alexander Sotirov (Jan 01)
- <Possible follow-ups>
- Re: MD5 Considered Harmful Today: Creating a rogue CA certificate Alexander Sotirov (Jan 01)