Bug 648886 (CVE-2004-2761) - CVE-2004-2761 MD5: MD5 Message-Digest Algorithm is not collision resistant
Summary: CVE-2004-2761 MD5: MD5 Message-Digest Algorithm is not collision resistant
Status: CLOSED ERRATA
Alias: CVE-2004-2761
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,source=internet,repor...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-02 12:52 UTC by Tomas Hoger
Modified: 2019-06-08 18:39 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-12-22 02:12:14 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0837 normal SHIPPED_LIVE Moderate: rhpki security and enhancement update 2010-11-08 20:06:51 UTC
Red Hat Product Errata RHSA-2010:0838 normal SHIPPED_LIVE Moderate: pki security and enhancement update 2010-11-08 20:12:18 UTC

Description Tomas Hoger 2010-11-02 12:52:15 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2004-2761 to the following vulnerability:

The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate.

References:
http://www.kb.cert.org/vuls/id/836068
http://eprint.iacr.org/2004/199
http://eprint.iacr.org/2005/067
http://www.win.tue.nl/hashclash/rogue-ca/
http://www.phreedom.org/research/rogue-ca/
http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/

Comment 1 Tomas Hoger 2010-11-02 13:30:44 UTC
As noted in the Knowledgebase article, Red Hat Certificate System is configured to use SHA-1 hash algorithm by default:

https://access.redhat.com/kb/docs/DOC-15379

It was discovered, however, that Red Hat / Dogtag Certificate System used MD5 algorithm for SCEP (Simple Certificate Enrollment Protocol) protocol communication and provided no way to disable the use of MD5.  There are additional implementation properties that make an MD5 chosen-prefix collision attack more feasible against Certificate System's SCEP component:

- Main Certificate Authority's key pair used to issue certificates is used to secure SCEP communication too (to decrypt requests and sign responses).

- All SCEP responses are signed by CA, including negative / failure responses.  An attacker does not need to have a valid enrollment one-time PIN to get signed reply from the Certificate System.

- Certificate System does not limit the size of the the senderNonce provided in the SCEP request and which is echoed back in the SCEP reply.  It also did not provide its own senderNonce in SCEP reply packets.

Colliding prefix can be used as part of the sender nonce that is echoed back by the CA unchanged.  This may allow attacker to create certificate or CRL signed using CA's key and using MD5 has algorithms.

Following changes were done in the Certificate System to address this problem:

- Support for SHA hash function family (SHA-1, SHA-256, SHA-512) was added to Red Hat Certificate System 7.3.  These hash functions were previously supported in version 8.  SHA-1 hash function is now used by default.

- CS.cfg configuration file can now specify default and allowed algorithms to be used by the SCEP component, e.g.:
    ca.scep.hashAlgorithm=SHA1
    ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
Similar options - ca.scep.encryptionAlgorithm and ca.scep.allowedEncryptionAlgorithms - can be used to configure encryption algorithm preferences.  Allowed algorithms list can be used to avoid downgrade to the use of weaker algorithms in cases where network devices tries to use DES/MD5 first for compatibility with older SCEP specifications.

The use of SHA hash algorithm avoids the MD5 collision problem.  Following additional changes aim to make the attack less feasible in configuration where the use of MD5 can not be disabled.

- It is possible to limit the size of the nonce copied from SCEP requests to SCEP responses using ca.scep.nonceSizeLimit option.  Default CS.cfg file sets the limit to 16 bytes.

- SCEP replies now include server-generated nonce.

- Separate key pair can be used for SCEP communication.  It can be specified in the CS.cfg configuration using ca.scep.nickname option.

- SCEP component is disabled by default.  It can be enabled by adding ca.scep.enable=true to the CS.cfg configuration file.

Comment 3 Kurt Seifried 2010-11-02 23:14:51 UTC
Is the intent of this bug to phase out MD5 usage in programs (i.e. replacing it with SHA256?) in Red Hat products?

Comment 4 Tomas Hoger 2010-11-03 10:07:56 UTC
Not a phase out all MD5, but phase out where needed.  Results of the efforts that were done in Fedora to add support for stronger hashes are to be seen in future Red Hat products too, of course.

Comment 5 errata-xmlrpc 2010-11-08 20:07:01 UTC
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0837 https://rhn.redhat.com/errata/RHSA-2010-0837.html

Comment 6 errata-xmlrpc 2010-11-08 20:12:27 UTC
This issue has been addressed in following products:

  Red Hat Certificate System 8

Via RHSA-2010:0838 https://rhn.redhat.com/errata/RHSA-2010-0838.html

Comment 7 Tomas Hoger 2010-11-09 13:58:28 UTC
(In reply to comment #1)

> Following changes were done in the Certificate System to address this
> problem:
> 
> - Support for SHA hash function family (SHA-1, SHA-256, SHA-512) was added
> to Red Hat Certificate System 7.3.  These hash functions were previously
> supported in version 8.

https://fedorahosted.org/pki/changeset/558
https://fedorahosted.org/pki/changeset/559
https://fedorahosted.org/pki/changeset/560

> - CS.cfg configuration file can now specify default and allowed algorithms
> to be used by the SCEP component

https://fedorahosted.org/pki/changeset/1313

> - It is possible to limit the size of the nonce copied from SCEP requests
> to SCEP responses using ca.scep.nonceSizeLimit option.  Default CS.cfg
> file sets the limit to 16 bytes.
> 
> - SCEP replies now include server-generated nonce.

https://fedorahosted.org/pki/changeset/1289

> - Separate key pair can be used for SCEP communication.  It can be
> specified in the CS.cfg configuration using ca.scep.nickname option.

https://fedorahosted.org/pki/changeset/1335

> - SCEP component is disabled by default.  It can be enabled by adding
> ca.scep.enable=true to the CS.cfg configuration file.

https://fedorahosted.org/pki/changeset/1230
https://fedorahosted.org/pki/changeset/1232


Note You need to log in before you can comment on or make changes to this bug.