Washburn's World

My take on the world. My wife often refers to this as the WWW (Weird World of Washburn)

My Photo
Location: Germantown, Wisconsin, United States

I am a simple country boy transplanted from the Piehl Township in northern Wisconsin to the Milwaukee metropolitan area who came down "sout" in 1980 for college and have stayed in the area since.
If this blog is something you wish to support, consider a donation.

Tuesday, December 30, 2008

Secure Socket Layer is Compromised

My posting here has been sparse.

Part of the reason for that is I have been working on a submission to the NIST SHA-3 Competition. My algorithm, WaMM, has the ignoble honor of being the first weak sister to go down in the hash algorithm cage match. To monitor the details of the competition I recommend the SHA-3 Zoo.

This theoretical world of cryptographic hashes has real-world applications. One of those real world applications is the transport layer security (TLS) or secure socket layer (SSL) (aka TLS/SSL). The preceding sentence is best described as the little lock icon you see when you are doing your online banking.

Here is a screen shot
SSL icon
from the web site of Guaranty Banking. I am not picking on Guaranty; the SSL is used by Wells Fargo and Bank of America as well. Here is an excerpt from the BoA Security Guaranty
Whenever personal information is requested or displayed on our Web site we use encryption technology, such as Secure Socket Layer (SSL), to prevent unauthorized access to data

The TLS/SSL is your assurance from your bank, online store, or government that your private information can be safely broadcast across the internet. The value of that guarantee took a serious hit on December 30, 2008.

At the 25th Annual Chaos Communications the team led by Alexander Sotirov has published this paper announcing the creation of a rouge Certification Authority Certificate (CA Certificate).

Anyone with a rogue CA certificate can impersonate any website which uses certification authorities (CA's) for SSL connection; Think eBay, BoA, and www.Widgetsonline.com

The paper has two excellent pictures. The first is how the SSL uses the CA certificate under normal conditions. The second picture is how the rouge CA certificate can be used to attack the SSL connection.

What this means to Wells Fargo and Bank of America is that it is now possible for someone other than them to create a website which can impersonate the Wells Fargo or Bank of America website. With the rogue CA certificate the impersonation goes so far as to present a bogus CA certificate which the TSL/SSL on your web browser cannot distinguish from the legitimate Wells Fargo or BoA certificate.

What this means to you is that if you previous placed blind trust in the little lock icon, then stop that. The lock used in the icon now has a master key which can open the lock in many commercial settings.

The rogue certificate takes advantage of the poisoned message attack by exploiting the know hash collision problem in the MD5 hash algorithm.

For years people have been recommending the MD5 hash be dropped from the CA certificate specification and that all MD5-based certificates be revoked. The response has been the usual two.
That vulnerability is completely theoretical.
It would be too expensive to upgrade a working system because of a theoretical problem.

These responses were given even after Peter Selinger published in 2006 this demonstration of the danger posed by MD5 hash collisions.

As you can see this was problem two years in the making. Now VeriSign, BoA, and most online retailers will need to get new certificates which use the stronger SHA-1 hash instead of the broken MD5 hash. Here is a survey of the CA certificates used on several popular sites. Any of the sites listed with MD5 should now be considered broken.

But, this raises a larger epistemology question.
  • How do you know who uses what combination of encryption and hashing?
  • How do you know what you know in order to decide if trust is warranted?
What would be nice is if the browsers provided mouse over text when the mouse hovers over the lock icon. The mouse over text should provide three data: Encryption Algorithm, Hash algorithm, Public Key bit length. From the survey above, the mouse over text for www.microsoft.com would be: (AES128)(SHA)(1024).

People would then know to shun any site where:
The problem with the TLS/SSL protocol is the usual one for cryptography; implementation. By "simplifying" the user interface to a simple picture of a lock, the browser robs the user of the information needed to make an informed decision about whether to trust the SSL security of a website.

My modest proposal would help by providing three simple data upon which a customer can decide a complicated trust issue. The current model is the usual bureaucratic one; trust us because some Authority vouches for us. My small suggestion is more in keeping with the PGP model: What evidence do you need in order to trust us? Here it is...

The difference is transparency and who makes the ultimate decision to extend or withhold trust:
  • An opaque system where trust is decided by an unknown Authority, or
  • a more transparent system where trust is given or withheld by the individual