Ubuntu
gnutls26 package

md4 should be deprecated

Bug #429907 reported by georgi
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnutls26 (Ubuntu)
Fix Released
Wishlist
Unassigned
openssl (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

openssl s_client and konqueror seem to accept md4 signatures.

IMO md4 is weak - there is preimage attack [1] of 2 rounds 7 steps in 8 hours (the full md4 is 3 rounds == 48 steps == 2 rounds 16 steps.

having in mind the 8 hours attack is by m$, i am inclined to believe an attack by skilful attacker will take seconds.

note that it is irrelevant if any CA issues new md4 certs - it is enough to have old valid md4 signature.

[1] http://sat07.ecs.soton.ac.uk/slides/kumarasubramanian-sat07-talk.pdf
Inversion Attacks on Secure Hash Functions using Sat Solvers

See original description
Revision history for this message
georgi (guninski) wrote :

FYI NSS (and firefox) reject signature with md4 hash

Søren Bredlund Caspersen (soeren-b-c)
affects: ubuntu → openssl (Ubuntu)
Revision history for this message
georgi (guninski) wrote :

to test if an application accepts md4 hashes:

#generate cert assuming "key3" exists
openssl req -new -x509 -subj "/CN=localhost2" -key key3 -out cert3.pem -md4

#listen
openssl s_server -www -port 9999 -cert cert3.pem -key key3

Revision history for this message
georgi (guninski) wrote :

gnutls accepts md4 according to "gnutls-cli"

Jamie Strandboge (jdstrand)
description: updated
summary: - md4 may be f*cked soon
+ md4 should be deprecated
Changed in openssl (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Changed in gnutls26 (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote :

I am wondering whether checking the acceptance of *self-signed* md4-using certificates is a useful testcase at all? If you used separate CA and server certificates, with the CA-signature on the server-cert using md4 the outcome is different. - GnuTLS will not successfully verify the server cert against the CA.

Revision history for this message
Adrien Nader (adrien) wrote :

AFAIU, MD4 is officially deprecated in openssl and it should also be forbidden with openssl's seclevel.

Right now I actually have troubles finding definitive answers because of how long this has probably been.

Changed in openssl (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Adrien Nader (adrien) wrote :

And as far as I can tell, gnutls doesn't use MD4 anymore. Marking as Fix released also for gnutls26.

Changed in gnutls26 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.