[cryptography] Microsoft Sub-CA used in malware signing

Nico Williams nico at cryptonector.com
Sun Jun 10 20:56:15 EDT 2012


On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
> * Marsh Ray:
>
>> Marc Stevens and B.M.M. de Weger (of
>> http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the
>> collision in the evil CN=MS cert. I'm sure they'll have a full report
>> at some point. Until then, they have said this:
>
>>> [We] have confirmed that flame uses a yet unknown md5 chosen-prefix
>>> collision attack.
>
> Does this mean they've seen the original certificate in addition to
> the evil twin?

The evil twin has the nasty bits[*] in the issuerUniqueID field, which
is weird, and the ID is not one likely to be generated by any CA.
Would the original have it??  I don't see why the TS CA would have
issued certs with issuerUniqueIDs under any circumstances, which is
why it's interesting the the evil twin had any evil bits.

[*] Marsh calls these bits a "tumor".  I don't think there's a good
analogy in biology, but for my money the analogy that comes closest is
"prion" (misfolded proteins, which in the most well-known case beget
more protein misfolding, which is why prions are not a perfect analog
for these evil bits).

Nico
--



More information about the cryptography mailing list