Common Vulnerabilities and Exposures assigned an identifier CVE-2004-2761 to the following vulnerability: The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate. References: http://www.kb.cert.org/vuls/id/836068 http://eprint.iacr.org/2004/199 http://eprint.iacr.org/2005/067 http://www.win.tue.nl/hashclash/rogue-ca/ http://www.phreedom.org/research/rogue-ca/ http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/
As noted in the Knowledgebase article, Red Hat Certificate System is configured to use SHA-1 hash algorithm by default: https://access.redhat.com/kb/docs/DOC-15379 It was discovered, however, that Red Hat / Dogtag Certificate System used MD5 algorithm for SCEP (Simple Certificate Enrollment Protocol) protocol communication and provided no way to disable the use of MD5. There are additional implementation properties that make an MD5 chosen-prefix collision attack more feasible against Certificate System's SCEP component: - Main Certificate Authority's key pair used to issue certificates is used to secure SCEP communication too (to decrypt requests and sign responses). - All SCEP responses are signed by CA, including negative / failure responses. An attacker does not need to have a valid enrollment one-time PIN to get signed reply from the Certificate System. - Certificate System does not limit the size of the the senderNonce provided in the SCEP request and which is echoed back in the SCEP reply. It also did not provide its own senderNonce in SCEP reply packets. Colliding prefix can be used as part of the sender nonce that is echoed back by the CA unchanged. This may allow attacker to create certificate or CRL signed using CA's key and using MD5 has algorithms. Following changes were done in the Certificate System to address this problem: - Support for SHA hash function family (SHA-1, SHA-256, SHA-512) was added to Red Hat Certificate System 7.3. These hash functions were previously supported in version 8. SHA-1 hash function is now used by default. - CS.cfg configuration file can now specify default and allowed algorithms to be used by the SCEP component, e.g.: ca.scep.hashAlgorithm=SHA1 ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 Similar options - ca.scep.encryptionAlgorithm and ca.scep.allowedEncryptionAlgorithms - can be used to configure encryption algorithm preferences. Allowed algorithms list can be used to avoid downgrade to the use of weaker algorithms in cases where network devices tries to use DES/MD5 first for compatibility with older SCEP specifications. The use of SHA hash algorithm avoids the MD5 collision problem. Following additional changes aim to make the attack less feasible in configuration where the use of MD5 can not be disabled. - It is possible to limit the size of the nonce copied from SCEP requests to SCEP responses using ca.scep.nonceSizeLimit option. Default CS.cfg file sets the limit to 16 bytes. - SCEP replies now include server-generated nonce. - Separate key pair can be used for SCEP communication. It can be specified in the CS.cfg configuration using ca.scep.nickname option. - SCEP component is disabled by default. It can be enabled by adding ca.scep.enable=true to the CS.cfg configuration file.
Is the intent of this bug to phase out MD5 usage in programs (i.e. replacing it with SHA256?) in Red Hat products?
Not a phase out all MD5, but phase out where needed. Results of the efforts that were done in Fedora to add support for stronger hashes are to be seen in future Red Hat products too, of course.
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0837 https://rhn.redhat.com/errata/RHSA-2010-0837.html
This issue has been addressed in following products: Red Hat Certificate System 8 Via RHSA-2010:0838 https://rhn.redhat.com/errata/RHSA-2010-0838.html
(In reply to comment #1) > Following changes were done in the Certificate System to address this > problem: > > - Support for SHA hash function family (SHA-1, SHA-256, SHA-512) was added > to Red Hat Certificate System 7.3. These hash functions were previously > supported in version 8. https://fedorahosted.org/pki/changeset/558 https://fedorahosted.org/pki/changeset/559 https://fedorahosted.org/pki/changeset/560 > - CS.cfg configuration file can now specify default and allowed algorithms > to be used by the SCEP component https://fedorahosted.org/pki/changeset/1313 > - It is possible to limit the size of the nonce copied from SCEP requests > to SCEP responses using ca.scep.nonceSizeLimit option. Default CS.cfg > file sets the limit to 16 bytes. > > - SCEP replies now include server-generated nonce. https://fedorahosted.org/pki/changeset/1289 > - Separate key pair can be used for SCEP communication. It can be > specified in the CS.cfg configuration using ca.scep.nickname option. https://fedorahosted.org/pki/changeset/1335 > - SCEP component is disabled by default. It can be enabled by adding > ca.scep.enable=true to the CS.cfg configuration file. https://fedorahosted.org/pki/changeset/1230 https://fedorahosted.org/pki/changeset/1232