• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: IETF RFC 3279 X.509 Certificate MD5 Signature Collision Vulnerability

Severity: HIGH

Description:

X.509 certificates are prone to a signature-collision attack when signed with the MD5 algorithm.

Hash algorithms are used to generate a hash value for a message (an arbitrary block of data) such that a number of cryptographic properties hold. In particular, the hash value is expected to be resistant to collisions. Given a message 'm', it is difficult to compute a second message 'm' such that both have the same hash value.

Hash algorithms are used in many cryptographic applications. In particular, they are used to sign X.509 certificates for verifying identity in various applications, including SSL communications.

The MD5 hash algorithm has over time seen gradually improving attacks against the collision property. In particular, it has been possible in recent years to create colliding messages with arbitrary, attacker-specified prefixes and suffixes. Recent improvements have extended these techniques such that it is possible to create colliding messages that are also different yet valid SSL certificates.

An attacker may take advantage of this issue to create a pair of X.509 certificates with differing information, but that share the same signature. If one of the certificates is signed, that signature may be used for the second certificate as well. The attacker may be able to exploit this issue to gain a signed certificate for an identity that the attacker does not control, or to gain a signed certificate as an intermediary signing authority. In the second case, the attacker will be able to sign additional, arbitrary certificates that will be trusted by any party trusting the original, legitimate authority.

The attacker is most likely to exploit this issue to conduct phishing attacks or to impersonate legitimate sites by taking advantage of malicious certificates. Other attacks are likely possible.

To exploit this issue, attackers may need considerable technical expertise and specialized hardware. In addition, current attacks require that signing authorities follow some insecure practices such as using sequential serial numbers when issuing certificates.

NOTE: This attack is an extension of the weakness covered in BID 11849 (MD5 Message Digest Algorithm Hash Collision Weakness).

Affected Products:

• Cisco IOS CA
• IETF RFC 3279: Algorithms and Identifiers for the Inter
• Mozilla Network Security Services (NSS) 3.11
• Mozilla Network Security Services (NSS) 3.11.3
• Mozilla Network Security Services (NSS) 3.12
• Ubuntu Ubuntu Linux 6.06 LTS amd64
• Ubuntu Ubuntu Linux 6.06 LTS i386
• Ubuntu Ubuntu Linux 6.06 LTS powerpc
• Ubuntu Ubuntu Linux 6.06 LTS sparc
• Ubuntu Ubuntu Linux 7.10 amd64
• Ubuntu Ubuntu Linux 7.10 i386
• Ubuntu Ubuntu Linux 7.10 lpia
• Ubuntu Ubuntu Linux 7.10 powerpc
• Ubuntu Ubuntu Linux 7.10 sparc
• Ubuntu Ubuntu Linux 8.04 LTS amd64
• Ubuntu Ubuntu Linux 8.04 LTS i386
• Ubuntu Ubuntu Linux 8.04 LTS lpia
• Ubuntu Ubuntu Linux 8.04 LTS powerpc
• Ubuntu Ubuntu Linux 8.04 LTS sparc
• Ubuntu Ubuntu Linux 8.10 amd64
• Ubuntu Ubuntu Linux 8.10 i386
• Ubuntu Ubuntu Linux 8.10 lpia
• Ubuntu Ubuntu Linux 8.10 powerpc
• Ubuntu Ubuntu Linux 8.10 sparc
• Yamaha RT104
• Yamaha RT105
• Yamaha RT107e
• Yamaha RT300i
• Yamaha RTV700
• Yamaha RTX1000
• Yamaha RTX1100
• Yamaha RTX1500
• Yamaha RTX2000
• Yamaha RTX3000
• Yamaha SRT100

References:

• Alexander Sotirov: Creating a rogue CA certificate
• Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, D: MD5 considered harmful today - Creating a rogue CA certificate
• Cisco: Cisco Security Response: MD5 Hashes May Allow for Certificate Spoofing
• Cisco: Weak MD5 Cryptographic Algorithm Allows for Certification Authority Certificate
• Entrust: TN 7690 - Are Entrust certificates susceptible to the md5 vulnerability?
• IETF: RFC 3279 - Algorithms and Identifiers for the Internet X.509 Public Key Infrastr
• Microsoft: Information regarding MD5 collisions problem
• Microsoft: Microsoft Security Advisory (961509)
• Mozilla: MD5 Weaknesses Could Lead to Certificate Forgery
• Mozilla: Network Security Services (NSS) Product Page
• TC TrustCenter: TC TrustCenter Response to SSL Vulnerability Paper
• US-CERT: VU#836068
• Verisign: This morning's MD5 attack - resolved
• Yamaha: RT Series Security FAQ

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.