mailing list archives
Re: Security team successfully cracks SSL using 200 PS3's and MD5
From: Joe Greco <jgreco () ns sol net>
Date: Sun, 4 Jan 2009 14:05:44 -0600 (CST)
* Brian Keefer:
My apologies if you were commenting on some other aspect, or if my
understand is in some way flawed.
I don't think so.
There's a rule of thumb which is easy to remembe: Never revoke
anything just because some weak algorithm is involved. The rationale
is that that revocation is absolute and (usually) retroactive, but we
generally want a more nuanced approach. If certain algorithms are too
weak to be used, this is up to the relying party to decide whether
it's fine in a particular case. On the other hand, replacing
MD5-signed certificates in the browser PKI is costly, but the overhead
is very finely dispersed (assuming that reissuing certificates has
very little overhead at the CA). I think it's doable if the browser
vendors could agree on a flag date after which MD5 signatures on
certificates are no longer considered valid.
(The implicit assumptions in that rule of thumb do not always apply.
For instance, if weak RSA keys are discovered which occur with
sufficiently high probability as the result of the standard key
generating algorithms to pose a real problem, the public key may not
reveal this property immediately, it may only be evident from the
private key, or only after a rather expensive computation. In the
latter case, we would be in very deep trouble.)
Other faulty assumptions are that the "relying party" (usually part/ies/)
are actually made aware, and actually make an informed decision, or that
revocation is the first step in efforts to motivate replacement of a cert,
which probably is exactly opposite what I have suggested...
Rules of thumbs about weakness of algorithms are suspect because things
change over time; your rule of thumb above might have been applied to
40-bit encryption, but I don't see much 40-bit stuff around anymore. :-)
The opinions on whether or not it is necessary to replace certs seems to
vary depending on whose opinion you're listening to, but a relatively safe
rule of thumb for this sort of security issue is to take the path that is
most likely to avoid risk, which would seem to be replacing certs. To the
extent that VeriSign is already doing this, it would seem that there is a
certain level of agreement with that assessment.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. Joe Abley (Jan 02)
Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw. William Warren (Jan 02)