Should I be concerned about the rogue CA certificate MD5 collision attack, CVE-2004-2761?
Environment
- Red Hat Certificate System
Issue
In December 2008, security researchers demonstrated an attack against MD5-signed digital certificates. The researchers were able to create a legitimate and a malicious certificate in a way that once the legitimate certificate request was signed by a trusted Certificate Authority (CA) that signature would also match the malicious certificate, allowing the attacker to own a malicious SSL certificate with a valid CA signature.
Resolution
This attack is not caused due to a vulnerability in a Red Hat product, but due to weaknesses in the MD5 hash function, its use by some CAs to sign certificate requests, and some specific conditions in the way some CAs performed signing.
The Red Hat Certificate System product provides a Public Key Infrastructure framework. In all supported versions of Red Hat Certificate System the CA signing certificate defaults to being SHA-1 signed, and by default certificates are signed using the algorithm of the CA signing certificate.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments