[cryptography] 512-bit certs used in attack

Marsh Ray marsh at extendedsubset.com
Mon Nov 28 00:00:53 EST 2011

On 11/27/2011 09:57 PM, Peter Gutmann wrote:
> That's an example of *claims* of 512-bit keys being factored, with
> the thinking being "everyone knows 512-bit keys are weak, the certs
> used 512-bit keys, therefore they must have got them by factoring".

Yeah. It seems like an important point.

> There is no indication that any certificates were issued
> fraudulently. Instead, cryptographically weak keys have allowed some
> of the certificates to be duplicated and used in a fraudulent
> manner.

On 11/27/2011 09:57 PM, Peter Gutmann wrote:
> Unfortunately this doesn't explain how they go the 1024-bit and
> longer keys that were also used in the attack.

Is that true? I haven't seen this reported. Link?

> if you looked at the 4 certificates initially found, it was easy to
> determine that all were 512bit RSA and used on HTTPS websites, which
>  were still up at the time of writing. Later during our investigation
>  we encountered 5 more certificates which also were used to
> successfully sign malware throughout 2011 by the same attacker, all
> 512 bit RSA.
..in the Q&A section...
> From all the signed executables we found related to this attack all
> were exactly signed with a 512 bit RSA certificate and Mikko Hyponnen
> stated during the closing keynote that the certificate in Malaysia
> was explicitly not stolen.

Possibly this is built on some assumptions, but its seems to be the
simplest explanation for the data. I.e., how many ways are there for an
attacker with the goal of stealing certs to use in an attack and end up
getting caught with nine 512 bit ones?

Here are the possibilities I can come up with:

* Attacker actually obtained a representative sample of many certs, but
chose to use only the 512 bit ones for some unknown reason.

* Attacker compromised a little sub-CA in Malaysia which for some
unknown reason retained the private keys for 512 bit certs but not
better ones.

* Microsoft's statement that "There is no indication that any
certificates were issued fraudulently" does not accurately reflect the
reality and the attacker was able to get the sub-CA to issue fraudulent
certs, but for some reason only 512 bit ones.

* There actually were the expected proportion of 1024 bit certs used in 
the attack, but F-Secure/Mikko Hyponnen and Fox-IT have an institutional 
bias that causes them to miss observing them, not connect them to this 
attack, or not accurately report them.


* Attacker used a known quantity of CPU time to factor some of the 512
bit RSA certs he found via SSL observatory or his own scan.

- Marsh

More information about the cryptography mailing list