March 13, 2019 at 16:54There is a mass revocation of TLS certificates from many CAs, by mistake generated on a 63-bit RNG instead of a 64-bit
Three days ago, a mass violation message was generated on the mozilla.dev.security.policy mailing list in the generation of TLS certificates. As the investigation showed, several certification authorities were affected, including GoDaddy , Apple and Google . The total number of incorrect certificates exceeds 1 million, and maybe much more. GoDaddy initially named the figure of 1.8 million certificates, and then reduced the rating by two orders of magnitude to 12,000. An Apple spokesman named the figure of 558,000 certificates .
The bottom line is that all the damage to the CAs used the open source PKI solution EJBCAwith incorrect settings, as a result of which random numbers from 63-bit space were used for serial certificate numbers, which violates the CA / B Forum minimum entropy requirements (64 bits).
The difference between 2 63 and 2 64 exceeds 9 quintillion, that is, 9 × 10 18 , this is a very significant number (although the difference is only half). All certificates must be revoked. For SSL.com and GoDaddy, the procedure will take 30 days, for others it may take about the same time, although they are required by the RFC5280 standard to revoke invalid certificates within five days. But they obviously do not have time to meet the norm.
How did this happen? Preliminary analysisshowed that for all certificates the length of the corresponding field is exactly 64 bits: neither more nor less. If the RNG produces 64 bits of entropy and all certificates are exactly 64 bits, then at first glance everything is fine. But the problem is that according to RFC5280 :
The popular PKI system EJBCA, which is used by many CAs, by default generates 64-bit numbers and for certificate numbers simply resets the most significant bit. That is, in fact, their RNG produces 63-bit numbers, which is why many CAs have suffered.
The 64-bit default requirement for RNG was formulated not from scratch, but after the 2008 hack , when a cluster of 200 PlayStation 3 game consoles generated collisions for the MD5 hash, which allows creating a fake authentication center that all browsers and operating systems will trust .
In 2012This trick was used by the American cyber weapon Flame , having introduced itself into the update mechanism of Windows Update.
However, now SHA256 is used for generation, it is a more modern algorithm compared to MD5, so the minimum requirement of 64 bits is adopted more for preventive purposes. Experts say that now there is no chance to find collisions in 63 bits and somehow exploit the error found with incorrect certificates.
But revoking millions of certificates is a headache for system administrators of many companies.
The loss of 1 bit of entropy is not so terrible, but someone somewhere can find a vulnerability that steals another 1-2 bits, and so on. So all such vulnerabilities must be fixed immediately.
SPECIAL CONDITIONS for PKI solutions for small and medium-sized businesses until 11/30/2019 using the promo code AL003HRFR. Offer valid for new customers. For details, contact the managers +7 (499) 678 2210, sales-ru@globalsign.com.
The bottom line is that all the damage to the CAs used the open source PKI solution EJBCAwith incorrect settings, as a result of which random numbers from 63-bit space were used for serial certificate numbers, which violates the CA / B Forum minimum entropy requirements (64 bits).
The difference between 2 63 and 2 64 exceeds 9 quintillion, that is, 9 × 10 18 , this is a very significant number (although the difference is only half). All certificates must be revoked. For SSL.com and GoDaddy, the procedure will take 30 days, for others it may take about the same time, although they are required by the RFC5280 standard to revoke invalid certificates within five days. But they obviously do not have time to meet the norm.
How did this happen? Preliminary analysisshowed that for all certificates the length of the corresponding field is exactly 64 bits: neither more nor less. If the RNG produces 64 bits of entropy and all certificates are exactly 64 bits, then at first glance everything is fine. But the problem is that according to RFC5280 :
Serial Number The Serial NumberRequiring a positive number means that the most significant bit cannot be set. If it is installed, then it cannot be used directly as the serial number of the certificate.
must be a positive integer assigned by the CA to each certificate. It must be unique for each certificate issued by a particular CA (i.e. the publisher name and serial number identify a unique certificate).
CAs must strictly control the procedure for issuing CERT so that the serial number is never a negative integer. The uniqueness requirements presented above suggest that consecutive numbers can be long integers. CERT users should be able to process a value in the serialNumber subfield with a length of up to 20 octets (inclusive). CAs following this standard should not use values in the "serialNumber" subfield longer than 20 octets.
The popular PKI system EJBCA, which is used by many CAs, by default generates 64-bit numbers and for certificate numbers simply resets the most significant bit. That is, in fact, their RNG produces 63-bit numbers, which is why many CAs have suffered.
The 64-bit default requirement for RNG was formulated not from scratch, but after the 2008 hack , when a cluster of 200 PlayStation 3 game consoles generated collisions for the MD5 hash, which allows creating a fake authentication center that all browsers and operating systems will trust .
In 2012This trick was used by the American cyber weapon Flame , having introduced itself into the update mechanism of Windows Update.
However, now SHA256 is used for generation, it is a more modern algorithm compared to MD5, so the minimum requirement of 64 bits is adopted more for preventive purposes. Experts say that now there is no chance to find collisions in 63 bits and somehow exploit the error found with incorrect certificates.
But revoking millions of certificates is a headache for system administrators of many companies.
The loss of 1 bit of entropy is not so terrible, but someone somewhere can find a vulnerability that steals another 1-2 bits, and so on. So all such vulnerabilities must be fixed immediately.
SPECIAL CONDITIONS for PKI solutions for small and medium-sized businesses until 11/30/2019 using the promo code AL003HRFR. Offer valid for new customers. For details, contact the managers +7 (499) 678 2210, sales-ru@globalsign.com.