Introduction
Research unveiled in December of 2008 [15] showed how MD5’s long-known flaws could be actively exploited to attack the real-worldCertification Authority infrastructure. In this paper, we demonstrate two new classes of collision, which will be somewhat trickier to address than previous attacks against X.509: the applicability of MD2 preimage attacks against the primary root certificate for Verisign, and the difficulty of validating X.509 Names contained within PKCS#10 Certificate Requests.We also draw particular attention to two possibly unrecognized vectors for implementation flaws that have been problematic in the past: the ASN.1 BER decoder required to parsePKCS#10, and the potential for SQL injection fromtext contained within its requests. Finally, we explore why the implications of these attacks are broader than some have realized — first, because Client Authentication is sometimes tied to X.509, and second, because Extended Validation certificates were only intended to stop phishing attacks from names similar to trusted brands. As per the work of Adam Barth and Collin Jackson [4], EV does not prevent an attacker who can synthesize or acquire a “low assurance” certificate for a given name from acquiring the “green bar” EV experience.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Open1x IEEE 802.1x open source implementation, http://open1x.sourceforge.net/
Dierks, T., Rescorla, E.: The transport layer security (tls) protocol (August 2008), http://tools.ietf.org/html/rfc5246
Gutmann, P.: X.509 style guide (October 2000), http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
Jackson, C., Barth, A.: Beware of finer-grained origins. In: Web 2.0 Security and Privacy, W2SP 2008 (2008)
Johanson, E.: The state of homograph attacks (2005), http://www.shmoo.com/idn/homograph.txt
Kaliski, B.: Pkcs #1: Rsa encryption (March 1998), http://tools.ietf.org/html/rfc2313
Marlinspike, M.: New tricks for defeating ssl in practice (July 2009), http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
Marlow, S.: Happy user guide (2001), http://www.haskell.org/happy/doc/html/sec-AttributeGrammar.html
Muller, F.: The md2 hash function is not one-way. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 214–229. Springer, Heidelberg (2004)
neon HTTP and WebDAV client library, http://www.webdav.org/neon/
Pilosov, A., Kapela, T.: Stealing the internet: An internet-scale man-in-the-middle attack. In: DEFCON, vol. 16 (August 2008)
Rning, J., Laakso, M., Takanen, A., Kaksonen, R.: Protos - systematic approach to eliminate software vulnerabilities (2002)
Singh, S.: Certificate trust list not being honored by iis 5.0/6.0/7.0 (December 2007), http://blogs.msdn.com/saurabh_singh/archive/2007/12/07/certificate-trust-list-not-being-honored-by-iis-5-0-6-0-7-0.aspx
Stevens, M., Lenstra, A., Weger, B.: Chosen-prefix collisions for md5 and colliding x.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)
Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for md5 and the creation of a rogue ca certificate. In: Cryptology ePrint Archive, Report 2009/111 (2009), http://eprint.iacr.org/
Bacula the open source network backup software solution, http://www.bacula.org/en/
Claws Mail: the user-friendly lightweight and fast email client, http://www.claws-mail.org/
Thomsen, S.S.: An improved preimage attack on md2. In: Cryptology ePrint Archive, Report 2008/089 (2008), http://eprint.iacr.org/
US-CERT. Vulnerability note vu#800113: Multiple dns implementations vulnerable to cache poisoning. US-CERT Vulnerability Notes Database (2008), http://www.kb.cert.org/vuls/id/800113
Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for hash functions md4, md5, haval-128 and ripemd. In: Cryptology ePrint Archive, Report 2004/199 (2004), http://eprint.iacr.org/
GNU Wget, http://www.gnu.org/software/wget/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kaminsky, D., Patterson, M.L., Sassaman, L. (2010). PKI Layer Cake: New Collision Attacks against the Global X.509 Infrastructure. In: Sion, R. (eds) Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6052. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14577-3_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-14577-3_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14576-6
Online ISBN: 978-3-642-14577-3
eBook Packages: Computer ScienceComputer Science (R0)