[cryptography] Malware-signing certs with 512-bit keys

ianG iang at iang.org
Wed Dec 7 09:26:41 EST 2011

On 7/12/11 23:30 PM, Peter Gutmann wrote:
> [NB: Crossposted to two lists where this issue has been discussed in the past]
> So it seems like pretty much everyone (at least on these lists) has heard
> about the Malaysian CA that issued 512-bit certs for which the keys were
> factored and used to sign malware, and that had their CA cert pulled because
> of this.
> What's had much less (in fact apparently zero) attention

As someone commented to me today, in PKI, any news is good news.  As the 
old aphorism from PT Barnum suggests, facts should not be allowed to 
interfere with the serious business of advertising.  

> is the fact that
> Digicert Sdn. Bhd. only issued three of the nine certificates that were used
> for malware signing.  Three more were issued by Cybertrust, and one each by
> GlobalSign, Taiwan-CA, and Anthem.  The first three are root CAs, Anthem is
> one of the vast number of you'll-only-find-out-they-exist-when-they're-used-
> to-attack-you sub-CAs that are out there.

9 certs of 512 bits size were used in various malware signing attacks, 
and nothing larger was seen.  So it is claimed.  So it is probably 
reasonable to suggest a private key crunching attack on those certs.  On 
the other hand, we don't have enough to rule out the alternates.  IMHO.

Still, with this reasonable conjecture in hand, that's probably 
sufficient for relying parties (vendors as defined in BR) to up the 
acceptable limit to the next reasonable notch.  I'd suggest 768, vendors 
will do 1024 I guess.

Given the facts (number of attacks, 9?;  the number of users, 250m; 
slowness of updates; lack of reported direct damages) a vendor might 
reasonably wait until the next convenient release?

> Given that the Malaysian CA had its cert pulled for this, can we get a
> statment from browser vendors on whether Cybertrust, GlobalSign, and the
> others will also similarly have their certs pulled for exactly the same
> behaviour?

It is curious.

When we wrote the Mozilla policy, we inserted that Mozilla had the sole 
right to decide when to pull a root.  When I suggested that (yes, blame 
me now) I knew that any suggestion to pull a root would immediately 
cause a counter-balancing lawsuit by CAs with cashflow in mind.  (Which 
would win, ask your lawyer how to stop anything with an injunction.)

Oh, and it was impractical to iterate in advance the reasons & causes 
for pulling a root.

Now I find myself on the other camp - wanting more definate statements.  
I think there are many discrepencies over time:   unusual claims made by 
vendors ("issued certs in breach of their own CPS" and "failure to 
notify relying parties"), policy & practice by herd, lack of 
transparency in vendors' actions, and recent allegations that some 
(sub-)roots are being used for routine MITMing.

I feel that PKI is entering a crisis phase, much like Europe's 
finances.  Things are going to get worse.  So, the question really is, 
are we going to ask the hard questions and start dealing with some hard 
answers, or are we going to kick the can along the road a bit more?  
Worked for Europe, right?

The MITM evidenced in the above attacks was or wasn't a reason to pull a 
root?  Is MITM a reason to pull a root?  Sufficient reason?

Or, what is?

And, is that it?  We'll keep burying roots until the pain goes away?


More information about the cryptography mailing list