[cryptography] Microsoft Sub-CA used in malware signing
eabalea at gmail.com
Mon Jun 11 05:31:27 EDT 2012
2012/6/11 Ben Laurie <ben at links.org>
> On Mon, Jun 11, 2012 at 1:56 AM, Nico Williams <nico at cryptonector.com>
> > On Sun, Jun 10, 2012 at 3:03 PM, Florian Weimer <fw at deneb.enyo.de>
> >> * Marsh Ray:
> >>> Marc Stevens and B.M.M. de Weger (of
> >>> http://www.win.tue.nl/hashclash/rogue-ca/) have been looking at the
> >>> collision in the evil CN=MS cert. I'm sure they'll have a full report
> >>> at some point. Until then, they have said this:
> >>>> [We] have confirmed that flame uses a yet unknown md5 chosen-prefix
> >>>> collision attack.
> >> Does this mean they've seen the original certificate in addition to
> >> the evil twin?
> > The evil twin has the nasty bits[*] in the issuerUniqueID field, which
> > is weird, and the ID is not one likely to be generated by any CA.
> > Would the original have it?? I don't see why the TS CA would have
> > issued certs with issuerUniqueIDs under any circumstances, which is
> > why it's interesting the the evil twin had any evil bits.
> Surely the whole point is that the collision is used to switch
> <something> to issuerUniqueID in order to hide the stuff that would've
> stopped the cert from working. I haven't looked, but I'm prepared to
> bet it would not be hard to figure out what the original cert must
> have looked like.
> Has anyone got the evil cert as a binary? I could probably reconstruct
> it from the bazillion dumps out there, but I can't be bothered.
Based on dumps found "ici et là", the issuerUniqueID is filled with
extensions, and one of them is a Microsoft proprietary (18.104.22.168.4.1.311.18.xxx)
and set critical. This extension itself prevents the certificate to be used
on post-Vista machines. The others are CRLDP, EKU, maybe other things. This
is obviously the result of the chosen-prefix attack (just like it was
demonstrated with MD5 Rogue CA).
The resulting evil certificate has no extension at all.
Paper by Marc Stevens (
presents a detection method for a chosen-prefix attack using only one of
the message pair.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography