Bug 648886 - (CVE-2004-2761) CVE-2004-2761 MD5: MD5 Message-Digest Algorithm is not collision resistant
CVE-2004-2761 MD5: MD5 Message-Digest Algorithm is not collision resistant
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=internet,repor...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-02 08:52 EDT by Tomas Hoger
Modified: 2010-12-21 21:12 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-21 21:12:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2010-11-02 08:52:15 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2004-2761 to the following vulnerability:

The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate.

References:
http://www.kb.cert.org/vuls/id/836068
http://eprint.iacr.org/2004/199
http://eprint.iacr.org/2005/067
http://www.win.tue.nl/hashclash/rogue-ca/
http://www.phreedom.org/research/rogue-ca/
http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/
Comment 1 Tomas Hoger 2010-11-02 09:30:44 EDT
As noted in the Knowledgebase article, Red Hat Certificate System is configured to use SHA-1 hash algorithm by default:

https://access.redhat.com/kb/docs/DOC-15379

It was discovered, however, that Red Hat / Dogtag Certificate System used MD5 algorithm for SCEP (Simple Certificate Enrollment Protocol) protocol communication and provided no way to disable the use of MD5.  There are additional implementation properties that make an MD5 chosen-prefix collision attack more feasible against Certificate System's SCEP component:

- Main Certificate Authority's key pair used to issue certificates is used to secure SCEP communication too (to decrypt requests and sign responses).

- All SCEP responses are signed by CA, including negative / failure responses.  An attacker does not need to have a valid enrollment one-time PIN to get signed reply from the Certificate System.

- Certificate System does not limit the size of the the senderNonce provided in the SCEP request and which is echoed back in the SCEP reply.  It also did not provide its own senderNonce in SCEP reply packets.

Colliding prefix can be used as part of the sender nonce that is echoed back by the CA unchanged.  This may allow attacker to create certificate or CRL signed using CA's key and using MD5 has algorithms.

Following changes were done in the Certificate System to address this problem:

- Support for SHA hash function family (SHA-1, SHA-256, SHA-512) was added to Red Hat Certificate System 7.3.  These hash functions were previously supported in version 8.  SHA-1 hash function is now used by default.

- CS.cfg configuration file can now specify default and allowed algorithms to be used by the SCEP component, e.g.:
    ca.scep.hashAlgorithm=SHA1
    ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
Similar options - ca.scep.encryptionAlgorithm and ca.scep.allowedEncryptionAlgorithms - can be used to configure encryption algorithm preferences.  Allowed algorithms list can be used to avoid downgrade to the use of weaker algorithms in cases where network devices tries to use DES/MD5 first for compatibility with older SCEP specifications.

The use of SHA hash algorithm avoids the MD5 collision problem.  Following additional changes aim to make the attack less feasible in configuration where the use of MD5 can not be disabled.

- It is possible to limit the size of the nonce copied from SCEP requests to SCEP responses using ca.scep.nonceSizeLimit option.  Default CS.cfg file sets the limit to 16 bytes.

- SCEP replies now include server-generated nonce.

- Separate key pair can be used for SCEP communication.  It can be specified in the CS.cfg configuration using ca.scep.nickname option.

- SCEP component is disabled by default.  It can be enabled by adding ca.scep.enable=true to the CS.cfg configuration file.
Comment 3 Kurt Seifried 2010-11-02 19:14:51 EDT
Is the intent of this bug to phase out MD5 usage in programs (i.e. replacing it with SHA256?) in Red Hat products?
Comment 4 Tomas Hoger 2010-11-03 06:07:56 EDT
Not a phase out all MD5, but phase out where needed.  Results of the efforts that were done in Fedora to add support for stronger hashes are to be seen in future Red Hat products too, of course.
Comment 5 errata-xmlrpc 2010-11-08 15:07:01 EST
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0837 https://rhn.redhat.com/errata/RHSA-2010-0837.html
Comment 6 errata-xmlrpc 2010-11-08 15:12:27 EST
This issue has been addressed in following products:

  Red Hat Certificate System 8

Via RHSA-2010:0838 https://rhn.redhat.com/errata/RHSA-2010-0838.html
Comment 7 Tomas Hoger 2010-11-09 08:58:28 EST
(In reply to comment #1)

> Following changes were done in the Certificate System to address this
> problem:
> 
> - Support for SHA hash function family (SHA-1, SHA-256, SHA-512) was added
> to Red Hat Certificate System 7.3.  These hash functions were previously
> supported in version 8.

https://fedorahosted.org/pki/changeset/558
https://fedorahosted.org/pki/changeset/559
https://fedorahosted.org/pki/changeset/560

> - CS.cfg configuration file can now specify default and allowed algorithms
> to be used by the SCEP component

https://fedorahosted.org/pki/changeset/1313

> - It is possible to limit the size of the nonce copied from SCEP requests
> to SCEP responses using ca.scep.nonceSizeLimit option.  Default CS.cfg
> file sets the limit to 16 bytes.
> 
> - SCEP replies now include server-generated nonce.

https://fedorahosted.org/pki/changeset/1289

> - Separate key pair can be used for SCEP communication.  It can be
> specified in the CS.cfg configuration using ca.scep.nickname option.

https://fedorahosted.org/pki/changeset/1335

> - SCEP component is disabled by default.  It can be enabled by adding
> ca.scep.enable=true to the CS.cfg configuration file.

https://fedorahosted.org/pki/changeset/1230
https://fedorahosted.org/pki/changeset/1232

Note You need to log in before you can comment on or make changes to this bug.