En sårbarhet har identifierats i det förfarande som MD5 används tillsammans med signering av SSL certifikat. Genom att kombinera två äldre publika attacker:

• MD5 kollisioner
• X509 och MD5-kollisioner i dessa

Så har säkerhetsforskarna Alexander Sotirov, Jacob Appelbaum lyckats att skapa egna SSL-certifikat för godtycklig domän. De skulle exempelvis vara möjligt att skapa ett giltigt certifikat för swedbank.se med hjälp av denna attack. Dock så måste denna attack kombineras med någon annan attack mot exempelvis DNS.

We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash. This is known as an MD5 ”collision”. Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the web to realistic threats.

HD Moore på BreakingPoint Labs har skrivit en lång och utförligt inlägg om detta: breakingpointsystems.com/community/blog/Attacking-Critical-Internet-Infrastructure.

Läs även:

MD5 considered harmful today

Creating a rogue CA certificate

Följ oss på Twitter: http://twitter.com/kryptera

Det har för några år sedan uppdagats att MD5 inte är speciellt säker att använda längre så därför satte Ronald L. Rivest igång ett arbete med att ta fram nästa generations hash-funktion nämligen MD6. Med hjälp av ett team på över 15 personer så har MD6 nu lanserats under konferensen CRYPTO ’08.

Se presentationen här:

people.csail.mit.edu/rivest/Rivest-TheMD6HashFunction.ppt

Enligt följande skriver Hal Finney om MD6:

Ron Rivest presented his (along with a dozen other people’s) new hash,
MD6, yesterday at Crypto. I am not a hash guru although I’ve implemented
SHA and its ilk many times, so I can’t guarantee all my notes are correct.
I will compare it somewhat with SHA as that is what I know.

SHA-1 is a Merkle Damgard hash, meaning that it runs a compression
function that takes as input the chaining value from the previous
compression function block, along with the next block of input, and
compresses that, creating the next chaining value for the next block.

MD6 is a tree hash, so the leaf nodes run the compression function which
takes successive blocks of input and compress it down to a chaining
value. These chaining values are then fed up to a parent node, which
uses the same compression function to produce its own chaining value,
and so on up to the root node. I think the tree branching factor was 4 -
each node has 4 children. There is also an alternative serial mode for
use by memory limited devices, but I don’t recall any details on that.

A unique feature of MD6 is that the input to the compression function is
very large – 512 bytes. SHA-1 takes 64 bytes. MD6 is oriented around 64
bit words, so this input is considered to be 64 words. The MD6 chaining
variable is 1024 bits or 16 words – compare to the hash width for the
SHA family ciphers: 160 for SHA-1, 256 or 512 for SHA-256 and SHA-512.
Per NIST’s spec, the largest hash output for SHA-3 is 512 bits, so
MD6 intentionally uses a double width chaining variable internally,
and truncates it for output.

The compression function of MD6 is particularly unusual, combining
simple steps with a large number of rounds. In SHA-1 the first thing you
do is to take the 16 32-bit input words and expand them into an 80-word
key array, each word in the expanded input being a function of certain
previous words. Then you run an unbalanced Feistel using the expanded
inputs.

MD6 starts off with something similar, using a somewhat more complex
expansion algorithm, and going on far longer. To my surprise, this is
the whole compression function! The last 16 words of this process are the
output chaining value. There is no Feistel network or any other mechanism.

In more detail, the 64 (64-bit) input words are prefixed by two sets
of about a dozen words – sorry, I don’t remember exactly how big these
were. One set is a constant value, and the other set includes a variety
of ”environmental” information about the circumstances of this instance
of the compression function. This includes global information like how
wide the hash is that will finally be derived by truncating the final
chaining value; the location of this compression function block in the
hash tree, including in particular whether we are the last (root) node;
and other such data. One notable value here is an optional per-hash key,
for creating a keyed hash, of up to 8 words (512 bits). These prepended
blocks bring the full input size up to about 87 or 89 words – again I
apologize, I am working strictly from memory here.

Now this input begins to be extended. Each additional word is a function
of about 5 of the previous 89 words. They did a search to choose the
best 5 offsets in order to maximize diffusion. The combining function
is quite simple though, composed solely of xors, ands, one right shift
and one left shift. Rivest mentioned that this made it reversible -
a desirable feature as it guarantees that no entropy is lost. At first
I was unclear how doing x = x ^ (x >> 5) for example is reversible,
for example, but then I got it. The shift amounts change each step,
again optimized by a computer search for good mixing.

But the really important point here is that there are a huge number
of such steps. The function is expressed in rounds of 16 steps
each. MD6-256 uses 104 rounds; MD6-512 uses 168. Multiply times 16 and
you are performing this extend step on the order of 2000 times. Again,
the last 16 words are the output of the compression function.

Rivest gave a lot of performance information. Because of the tree
structure, the function is highly parallellizable, and scales almost
linearly with the number of CPU cores available. With 1 core, it is not
super fast: MD6-256 on a 64-bit CPU is 77 MB/sec; MD6-512 is 49 MB/sec.
For comparison, SHA-512 is 202 MB/sec on the same setup. They need about
3 cores to match the speed of SHA-512.

He also presented a number of cryptanalytic results. There is provable
security against differential cryptanalysis, by virtue of the large number
of rounds; also security against side channels. A SAT solver and another
technique could only do something with about 11 rounds, versus the 100+
rounds in the function. The tree structure is also shown to preserve
strong properties of the compression function.

Overall it seemed very impressive. The distinctive features are the tree
structure, very wide input blocks, and the enormous number of rounds.
The cryptanalysis results were favorable. However Adi Shamir stood up
and expressed concern that his new Cube attack might apply. Rivest seemed
confident that the degree of MD6 would be several thousand, which should
be safe from Shamir’s attack, but time will tell.

Apologies again to the enormous number of authors if I have any serious
errors above. And thanks to Ron Rivest for publicizing this hash design
several months before the due date (October 31), potentially giving an
advantage to his competitotrs. He emphasized that his goal is to produce
the best possible outcome for the whole process.

Hal Finney

Följ oss på Twitter: http://twitter.com/kryptera

Det har åtskilliga gånger på sistone kommit på tapeten hur webbutvecklare bygger dåliga lösenordsfunktioner utan salt, eller lagrade direkt i klartext exempelvis.

Det amerikanska IT-säkerhetsföretaget Matasano försöker reda ut vad som är bra och vad som är dåligt gällande säkra lösenordshashar:

• Varför är just OpenBSD:s lösenordsfunkion så bra
• Varför går vissa lösenord att knäcka med regnbågstabeller (rainbow tables)
• Vad är Stanford Secure Remote Password (SRP)

Deras intressant blogginlägg kan du läsa här.

Följ oss på Twitter: http://twitter.com/kryptera

WordPress version 2.5.1 släpps till följd av att en kryptobugg i Cookie-hanteringen gör det möjligt beräkna den HMAC som används för säkerställa att rätt användare är inloggad:

The authentication mechanism assumes that an attacker cannot calculate the HMAC. However, this assumption is broken because the two inputs used to calculate the HMAC (username and expiration) are not clearly delineated.

Läs mer om buggen här:

• http://www.cl.cam.ac.uk/~sjm217/advisories/wordpress-cookie-integrity.txt

Undrar du vad HMAC är? Förklaring enligt Wikipedia:

In cryptography, a keyed-Hash Message Authentication Code (HMAC or KHMAC), is a type of message authentication code (MAC) calculated using a specific algorithm involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. Any iterative cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA-1 accordingly. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, on the size and quality of the key and the size of the hash output length in bits.

Följ oss på Twitter: http://twitter.com/kryptera