The Prediction of Serial Number in OpenSSL’s X.509 Certificate

Research ArticleThe Prediction of Serial Number in OpenSSLrsquos X509 Certificate

Jizhi Wang 1234

1 Institute of Information Engineering Chinese Academy of Sciences China2School of Cyber Security University of Chinese Academy of Sciences China3ShandongProvincial Key Laboratory of Computer Networks Shandong Computer Science Center (National Supercomputer Center inJinan) Shandong Academy of Sciences China

4School of Cyber Security Qilu University of Technology China

Correspondence should be addressed to Jizhi Wang wangjzhsdasorg

Received 14 November 2018 Accepted 25 March 2019 Published 2 May 2019

Academic Editor A Peinado

Copyright copy 2019 Jizhi Wang This is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

In 2007 a real faked X509 certificate based on the chosen-prefix collision of MD5 was presented by Marc Stevens In the methodattackers needed to predict the serial number of X509 certificates generatedbyCAs besides constructing the collision pairs ofMD5After that the randomness of the serial number is requiredThen in this case how do we predict the random serial numberThusthe way of generating serial number inOpenSSL was reviewedThe vulnerability was found that the value of the field ldquonot beforerdquo ofX509 certificates generated by OpenSSL leaked the generating time of the certificates Since the time is the seed of generating serialnumber in OpenSSL we can limit the seed in a narrow range and get a series of candidate serial numbers and use these candidateserial numbers to construct faked X509 certificates through Stevensrsquosmethod AlthoughMD5 algorithm has been replaced by CAsthe kind of attack will be feasible if the chosen-prefix collision of current hash functions is found in the future Furthermore weinvestigate the way of generating serial numbers of certificates in other open source libraries such as EJBCA CFSSL NSS Botanand Fortify

1 Introduction

Digital certificates are adopted widely in Internet which is abasic security measurement Many principals such as clientsand servers depend on digital certificates to authenticateeach other If an attacker can forge otherrsquos digital certificateheshe may impersonate otherrsquos identity and access sensitiveinformation This is one of serious threats for the public

The security of digital certificates is based on the digitalsignature algorithms and hash algorithms If an attack againstthese algorithms occurs the digital certificates based onthese algorithms cannot be trusted any more Among attackscollision of hash algorithms is one of the most seriousthreats Since the first realMD5 collision attackwas presentedby Wang [1 2] in 2004 it is possible to construct forgedcertificates based on the collision attack of MD5

At Eurocrypt 2007 the different certificates with thesame signature were created firstly by Stevens based on thechosen-prefix collision attack of MD5 [3ndash5] This was a big

event for commerce CAs and their users because the kindof forged certificates can be verified successfully After thatmany companies announced that MD5 was vulnerable todigital certificates such as Verisign Microsoft Mozilla TCTrustCenter RSA US-CERT and Cisco [6] In addition thesuper-malware Flame was discovered in 2012 [7] which usesthe method to forge a Microsoftrsquos certificate [8]

The method of Stevens cannot forge a certificate froman existing certificate because the second preimage attackof MD5 is hard so far The method needs to construct twocertificates based on chosen-prefix collision attack of MD5before submitting one of them to apply for a certificate to aCA The implementation of the process has two key issuesone related to the collision pair construction of MD5 andthe other to some fields controlled by CAs such as serialnumber in certificates which attackers need to predict beforesubmitting the application Against the threat Stevens gavetwo suggestions for CAs one is to replace MD5 algorithmwith other secure hash algorithms (such as SHA-256) because

HindawiSecurity and Communication NetworksVolume 2019 Article ID 6013846 11 pageshttpsdoiorg10115520196013846

2 Security and Communication Networks

chosen-prefix collision of other hash algorithms does notoccur at present the other is to add a sufficient amount offresh randomness at the appropriate fields (such as serialnumber) in order to prevent attackers frompredicting ifMD5cannot be replaced at once [5] In the wild however manyvalid certificates still use MD5 [9] In addition we grabbed180000+ certificates from Internet while 5000+ certificatesare based on MD5 in other words 28 certificates

In this paper we will focus on whether the randomnessof some fields in certificates is enough to prevent attackersfrom predicting Since the detailed codes of business CAsare not public we review the way of generating certificatesby open source software OpenSSL to find how to predictthe values of some fields in certificates OpenSSL uses apseudo random number generator (PRNG) to output ran-dom numbers Some literatures related to the security of thePRNGhave been proposed [10ndash15]The security of OpenSSLrsquosPRNG in Android and Debian has been reported in [1014] A theory analysis of OpenSSLrsquos PRNG was presented in[10] However it is not clear how the PRNG works in theprocedure of generating X509 certificates Furthermore wealso investigated generating certificates in other open sourcelibraries like EJBCA CFSSL NSS Botan and Fortify

In this paper we have three contributions as follows

(1) We find a vulnerability of OpenSSL that the field ldquonotbeforerdquo in certificates leaks the time of generatingcertificates which is the seed of generating the fieldldquoserial numberrdquo so that it is possible to predict thevalue of ldquoserial numberrdquo

(2) We give the predicting method for the field ldquoserialnumberrdquo and forge certificates based on the proposedmethod and Stevensrsquos method

(3) We investigate five other open source libraries andfind similar vulnerability in two libraries EJBCA andNSS

The paper is organized as follows In Section 2 somepreliminaries are introduced and the problems solved by thepaper are defined Section 3 reviews the source codes ofOpenSSL about generating X509 certificates Then Section 4proposes a method predicting the key fields of certificatesSome countermeasures are given in Section 5 and Section 6investigates other open source libraries Finally Section 7concludes the paper

2 Preliminaries

In X509 certificates the signature of CA is the mostimportant part to prevent from forging Any modificationof contents in certificates would make the change of CArsquossignature in other words the change of Hash value If auser Arsquos certificate has existed we cannot forge the certificatedirectly because it needs to construct the second preim-age of hash value of the certificate However we can useother user Brsquos identity to apply a certificate for CA andgenerate a chosen-prefix collision pair which can forge Arsquoscertificate

Table 1 The overview of collision complexities

MD5identical-prefix chosen-prefix216 (2009 [4]) 239 (2009 [4])

SHA-1identical-prefix chosen-prefix263 (2017 [17]) 277 (2012 [5])

21 Chosen-Prefix Collision Attack of MD5 According tothe chosen-prefix collision the prefixes p and p1015840 of twomessage blocks are chosen Then the collision pair s ands1015840 is generated so that 1198721198635(119901119904119889) = 1198721198635(11990110158401199041015840119889) issatisfied for any arbitrary suffix d The two prefixes p andp1015840 must be of equal length and their length is a multiple ofthe MD5 message block size Otherwise padding messagemust be added The computing complexity of the attack is119874(239) [4 5] and a program was presented by Stevens [16]For attackers the method can be applied to forge certificatessuccessfully

Before that identical-prefix collision had been studiedwhich is easier to be constructed than chosen-prefix collisionAlthough identical-prefix collision can be used to forgecertificates the kind of forgery is meaningless in practicalattacks because the userrsquos identity is in the prefix and cannotbe changed

The overview of collision complexities is in Table 1 Wecan see the chosen-prefix collision of MD5 is feasible incomputing while the chosen-prefix collision of SHA-1 isunfeasible so far But in the near future a real case of chosen-prefix collision of SHA-1 may be found when the attack willbe feasible

22 X509Certificates To forge a certificate we need to knowwhich part of certificate is as the prefix and which part ofcertificate the collision pair is placed on The data structureof X509 certificate is in Table 2

According to the chosen-prefix collision attack the gen-erating collision pair is like random number while only thefield ldquosubject public key infordquo is the analogy with randomnumberThus the collision pair constructed by chosen-prefixcollision attack is placed in the field ldquosubject public key infordquo(Table 2) and the fields from ldquoversion numberrdquo to ldquopublickey algorithmrdquo of the certificate are as prefix chosen Thenan attacker must know the CA will chose which value to fillthe fields in advance because before requiring the certificatefor the CA heshe must construct a collision pair and thensubmit the generated ldquopublic key infordquo Among these fieldsthe values of ldquoserial numberrdquo and ldquonot valid beforerdquo need tobe forecast because they are controlled by CAs while othersare easy to obtain

23 The Procedure of Forging a Certificate To forge Arsquoscertificate we need to generate a chosen-prefix collision pairto construct two certificates one of which is in the name of Aand the other is in the name of BThen we submit Brsquos identity

Security and Communication Networks 3

Table 2 The data structure of X509 certificates

field comments exampleX509 version number Standard X509 Version 3Serial number Chosen by CA 0x01000001Signature algorithm identifier Standard X509 MD5withRSAEncryption

Issuer distinguished name Identity of CACN=ldquoxxx CArdquoL=ldquoxxxxxrdquoC=ldquoxxrdquo

Not valid before Controlled by CA Jan1201700h00m01sNot valid after Controlled by CA Dec31201723h59m59s

Subject distinguished name Identity of users

CN=ldquoxxxxxrdquoO=ldquoxxxxrdquoL=ldquoxxxrdquoC=ldquoxxrdquo

Public key algorithm Standard X509 RSAEncryptionSubject public key info Controlled by users 0x98765432 Version 3 extensions Standard X509

and public key to the CA and get its signature The signatureof Arsquos certificate is replaced which can be verified successfully

The flow of the forging a certificate is in Figure 1 Firstlyattackers chose a targetCA Before guessing the serial numberand validity period in certificates they need to collectapplyfor enough certificates issued by the CA and look for whetherthe two fields have any patterns If they find any then thefields can be predicted After constructing the collision pairbased on chosen-prefix collision attack attackers can submitone of the two to the CA and get its signature If the guessedserial number and validity period are correct it is successfulOtherwise attackers would guess again

In [4] Stevens reported that their targeted CA usedsequential serial numbers and the validity period startedexactly 6 seconds after a certification request was submittedThus they could predict the value of the fields easily Howeverthe attack becomes effectively impossible if the CA addsa sufficient amount of fresh randomness to the certificatefields such as in the serial number This randomness is tobe generated after the approval of the certification request sothat if attackers cannot predict the value of these fields theycannot construct the collision pair

24 The Problem Thus in this paper we try to answer thetwo questions

(1) How do we predict the value of the field ldquoserialnumberrdquo if the CA chooses a random number as theserial number

(2) How do we predict the value of the field ldquonot validbeforerdquo that is in the unit of second

To answer the two questions we need to know how CAsgenerate the value of the two fields However the differentCAs may adopt different ways to filling the fields Sincethe open source software OpenSSL [18] is widely appliedin generating X509 certificates we take it as an exampleto answer the two questions For example the open source

PKI architecture OpenCA [19] is to call OpenSSL to generateX509 certificates

3 The Reviewing of OpenSSL

We use OpenSSL 110e to review how a certificate is gener-ated Before 098 of OpenSSL MD5 was a default configura-tion for creating message digests [20] but after that MD5 isstill supported because of compatibility

31 OpenSSLrsquos PRNG RAND add() and RAND bytes() arethe most important random number functions in OpenSSL

(i) RAND add(void lowastbuf int n double entropy) adds nbytes of buf into PRNG states

(ii) RAND bytes(void lowastbuf int n) outputs n bytes ofrandom number into buf

The authors in [10ndash12] gave the algorithms of RANDadd() and RAND bytes() as in Algorithms 1 and 2

The input parameter md0of RAND add is the IV of SHA1

algorithm The parameter s is an array whose initial valuesare zero which is the internal states of the random numbergeneratorThe parameters p and q are location marks of arrays whose initial values are zero

32 The Serial Number of X509 Certificates When we useOpenSSL to generate a X509 certificate there are two ways togenerate the serial number In the configure file of OpenSSLldquoopensslconfrdquo (Figure 2) the term ldquoserialrdquo is related to theserial number If the file ldquoserialrdquo in the current directoryexists the serial number can be set up in the file that is tosay we can designate a number as the serial number in thefile For example if we input ldquo01rdquo into the file ldquoserialrdquo theserial number will be ldquo01rdquo In addition after the certificate isgenerated the number in the file ldquoserialrdquo will be plus one andthen changed into ldquo02rdquo In other words the serial number of


Start

choose atarget CA

apply enoughcertificates to the CA

find the pattern of serialnumber and validity period

guess serial numberand validity period

construct thecollision pair

submit one toCA to get signature

the guess is correct

success

N

Y

Figure 1 The flow of forging a certificate

Input n b where b is divided into 20-byte-length block bientropy is 0 by defaultmd is 20-byte states s is 1023 bytes PRNG states

for i=1 to n dot=size(bi-1)-1mdi=SHA1(mdi-1119904[119901 119901 + 119905mod1023]119887i-1)s[pp+t mod 1023]=s[pp+t mod 1023] oplus119898119889i[0t]p=p+t+1 mod 1023

end formd0= mdi oplus 1198981198890

q=min(q+size(b) 1023)return md

0 s p q

Algorithm 1 The function of RAND add RAND add(void lowastb int n double entropy)

Input r where r is divided into 10-byte-length blocks ri r is defined and evaluated in the functionOutput b

for i=1 to n do119898119889i = 1198781198671198601(119898119889i-1119903i-1119904[119901 119901 + 9mod119902])119903i-1 = 119898119889i[10 10 + 119904119894119911119890(119903i-1) minus 1]s[pp+9 mod q]=s[pp+9 mod q]oplus119898119889i[0 9]p=p+10 mod q

end for1198981198890= 1198781198671198601(119898119889i||1198981198890)

return md0 s p q

Algorithm 2 The function of RAND bytes RAND bytes(void lowastb int n)


Figure 2 ldquoopensslconfrdquo the configure file of OpenSSL

the next certificate will be ldquo02rdquoThus we can forecast exactlythe serial number because of the sequential serial numbers

On the other hand if the file ldquoserialrdquo does not existOpenSSL would use random number as the serial number ofX509 certificates An example is in Figure 3 In this paper wewill discuss the prediction of the serial number in the way

Reviewing the source code of OpenSSL we can find itcalls the function ldquorand serial (BIGNUM lowastb ASN1 INTE-GER lowastai)rdquo in X509c to generate the serial number (Figure 4)

After a serial of function calling the functionsldquoRAND add(const void lowastbuf int num double add)rdquo andldquoRAND bytes(unsigned char lowastbuf int num)rdquo are called inbn randc (Figure 5)

In the case the parameter b of RAND add() isrdquotime trdquo type of variable rdquotimrdquo while the parameter r ofRAND bytes() is defined inside We reviewed the sourcecode of RAND bytes() and found it is ldquoFILETIMErdquo type ofvariable ldquotvrdquo in Figure 6 In addition the parameter md

0of

RAND bytes() depends on the ldquodummy seedrdquo in Figure 6whose value is 20 bytes of ldquordquo by default

In summary the serial number depends on two timevariables ldquotimrdquo and ldquotvrdquo where ldquotimrdquo is a 32-bit integer whichrecords the number of seconds since 000000 Jan 1 1970and ldquotvrdquo is a 64-bit integer which records the number of 100nanoseconds since 000000 Jan 1 1601 in Windows whileldquotvrdquo records the number of microseconds since 000000 Jan1 1970 in Linux The two times are the current system time

33 The Valid Time of X509 Certificates The valid time ofX509 certificate depends on two times ldquonot beforerdquo and ldquonotafterrdquoThe different time between ldquonot beforerdquo and ldquonot afterrdquois the valid time

In the source codes of OpenSSL x509c generates thecontent of a X509 certificate (Figure 4) while the function

Input x startdate enddate daysOutput x

If(startdate==NULL)X509 gmtime adj(s0)

else

If (enddate==NULL)X509 time adj ex(sdays00)

else

Algorithm 3The function of set cert time set cert time(X509 lowastxconst char lowaststartdate const char lowastenddate int days)

ldquoset cert time(X509 lowastx const char lowaststartdate const charlowastenddate int days)rdquo is to set the valid time (Algorithm 3)

Since the parameter ldquostartdaterdquo is set as NULL when thefunction is called the data field ldquonot beforerdquo of certificatesis set as the current time of system The detail code is inX509 vfyc by a serial of functions calling (Figure 7)

In Figure 7 ldquonot afterrdquo is got by ldquonot beforerdquo + ldquodaysrdquo theparameter of set cert times() because the ldquoenddaterdquo is set asNULL

4 The Prediction of Serial Number

From above analysis the serial number and ldquonot beforerdquodepend on the system time when the certificate is generatedin OpenSSL In addition the value of ldquonot beforerdquo is thetime when generating the certificate Thus we know someinformation of the seeds of the serial number

41 Low Entropy Secret Leakage In [10] Strenzke pointedthat if the seed was in a low entropy state the output ofrandom number generator would leak the information of theseed which was called low entropy secret leakage (LESL)Thus an attack can try through all the possible seeds andgenerate the results according to hisher instance of therandom number generator If the resulting outputs are equalto the outputs of the real random number generator thenthe attacker knows the used seed of the real random numbergenerator

The above serial number generator of X509 certificates inOpenSSL is an example of LESL The current time of the dayin microseconds provides about 36 bits of entropy Howeversince ldquonot beforerdquo of certificates leaks the time in secondsas the part of seeds of serial number we can try every 100nanoseconds (in Windows) or microseconds (in Linux) tofind which seed is used Thus the entropy is lost and only20 bits (106) In the next subsection we will make the entropyreduce to 10 bits (103)

42 Testing In [4] authors reported that the validity periodstarted exactly 6 seconds after a certification request wassubmitted To verify the issue we selected a commercial CA


Figure 3 An example of X509 certificate

Figure 4 Part of x509c

Figure 5 RAND add() and RAND bytes() are called in bn randc

that provides personnel with free certificates We used tendifferent E-mail addresses to apply to the CA for certificatesThe submitting time was recorded and the value of ldquonotbeforerdquo was checked after receiving the certificate We can

Figure 6 The source code of RAND bytes()

find that the difference between the two times is 5 secondsfixed

Obviously according to the difference of the two timesattackers can control the time when a CA generates acertificate because the value of rdquonot beforerdquo directly showsthe time Furthermore the serial number depends on thetime in seconds and in nanoseconds in OpenSSL (Figures 3and 4) Then attackers know the time in seconds while notknowing the time in 100 nanoseconds Thus for attackers topredict the serial number of certificates a natural idea is tobrute force every 100 nanoseconds in the second accordingtoAlgorithms 1 and 2The computation complexity is119874(107)However in real computer systems can the timing precisionbe 100 nanoseconds We test the parameter ldquotvrdquo in Figure 4


Figure 7 The default value of ldquonot beforerdquo is the current time ofsystem

Table 3 The testing result for timing precision

Operation system Timing Precision Computation ComplexityWindows XP 10ms 119874(102)

Windows 7 1ms 119874(103)

Ubuntu 1404 1ms 119874(103)

in different operation systems We installed three operationsystems in the same computer (Intel Core i7 2GHz) and testedthe time jumping We can see that every time jumping islarger than 100 nanoseconds The result is shown in Table 3

From Table 3 we can see the computation complexity inreality is much smaller than the one in theory

According to the above discussion attackers can predictthe serial number and ldquonot beforerdquo of a certificate To verifythe conclusion we use Algorithm 4 to predict the serialnumber and ldquonot beforerdquo

In Windows XP the time precision is 0x18730 100nano-seconds (=100144) So in Step 5 we select randomly a value ofm the success probability is 001 in other words we submitthe application more than 69 times the success probabilityis more than 50 In Ubuntu the time precision is 0x3f0microseconds (=1008) So the success probability is 0001

The testing result shows that the real serial number ofthe certificate is one of the candidate serial numbers that wepredict (in Table 4)

5 Countermeasure

Since the value of ldquonot beforerdquo leaks the time of certificatesrsquogeneration attackers can limit a narrow range of the seeds forgenerating serial numbers in OpenSSL The problem showsthat the entropy of the seed is too lowwhich cannot guaranteethe randomness of serial numbers Thus a natural idea isto add entropy of the seed In Figure 4 a dummy seed isdefined but it is a fixed 20 bytes ldquordquo Obviously if the seedis a variable secret the entropy will be increased This is thesimplest method to deal with the problem

The other idea is that the value of rdquonot beforerdquo shouldbe set a future time instead of the current system time For

Figure 8 The valid time of certificates in EJBCA

Figure 9 The serial number of certificates in EJBCA

example the value can be set as 000000 of the second dayafter the day of application Thus attackers cannot know theexact time when the certificate is generated

6 Other Libraries

We have investigated other open source libraries generatingcertificates EJBCA [21] CFSSL [22] NSS [23] Botan [24]and Fortify [25] to find whether similar problems exist whengenerating serial numbers of certificates

61 EJBCA EJBCA is an open source PKI CertificateAuthority software based on Java technology We re-viewed the source codes of EJBCA Community 61012In EJBCA a tool called CertTool is provided to gen-erate certificates where is in 119890119895119887119888119886119898119900119889119906119897119890119904119888119890119904119890119888119900119903119890 minus119888119900119898119898119900119899119904119903119888119900119903119892119888119890119904119890119888119900119903119890119906119905119894119897119862119890119903119905119879119900119900119897119895119886V119886We reviewedthe file to find how the valid time and serial number ofcertificates are generated

From Figures 8 and 9 we can conclude that the defaultvalue of ldquonot beforerdquo is set as ldquocurrent time - 10 minutesrdquo(in milliseconds) and ldquonot afterrdquo is set as ldquocurrent time + 24hoursrdquo (in milliseconds) The generation algorithm of ldquoserialnumberrdquo is ldquoSHA1PRNGrdquo and the seed is set as ldquocurrent timerdquo(in millisenonds)

Obviously the problem of EJBCA is similar to OpenSSLWe can get ldquonot beforerdquo of certificates easily then know theseed of ldquoSHA1PRNGrdquo and predict the serial number

62 CFSSL CFSSL is an open source PKITLS toolkit devel-oped by CloudFlare We reviewed the source codes of CFSSL12 in order to find how the valid time and serial number ofcertificates are generated

From Figure 10 we can see that the default value of ldquonotbeforerdquo is set as ldquocurrent timerdquo The ldquoserial numberrdquo is gen-erated by the function ldquorandrdquo in the package rdquocryptorandrdquoof Go ldquorandReaderrdquo is a global shared instance of a crypto-graphically PRNGwhich reads from devurandomonUnix-like systems or from CryptGenRandom API on Windowssystems ie the seed of the PRNG is from operation systems


Table 4 Forged certificate

Field Submitted Certificate Forged CertificateSerial number cd e9 6e da bc a0 04 f4 cd e9 6e da bc a0 04 f4Signature algorithmidentifier MD5withRSAEncryption MD5withRSAEncryption

Issuer distinguishedname My Test CA My Test CA

Not valid before 0x59c5905d 0x59c5905dNot valid after 0x5f692add 0x5f692addSubject distinguishedname My Tes1 tes1cer1com My Tes2 tes2cer1com

Public key algorithm RSAEncryption RSAEncryption

Subject public keyinfo (2048bit)

BE 4F C4 66 2B AB 69 FB B9 50 78 55 12 33 9C E3 00 48 C7 2A F7 D3 19 0C C9 24 1D 43 D5 CB B4 6C25 7B B3 9A A4 2F D9 F6 C7 56 C9 9A 38 D8 08 5A E4 AD 87 60 4E 74 F1 C6 41 23 D8 17 7C 85 20 DB00 00 00 00 C8 4C B9 00 6F E2 2B E0 91 09 8F F6 00 00 00 00 B3 73 81 B5 62 8C BD 7A 91 09 8F F69C EB 64 14 35 B3 01 47 DC FC C1 81 DD 96 93 9E 9C EB 64 14 35 B3 01 47 DC FC C1 81 DD 96 93 9E61 07 07 0E 3B 5F F7 C3 B8 FF AE AB 40 32 56 2B 61 07 07 0E 3B 5F F7 C3 B8 FF AE AB 40 32 56 2B21 21 CC B7 CB 4D DD C4 78 5D C1 02 02 83 09 88 21 21 CC B7 CB 4D DD C4 78 55 C1 02 02 83 09 8826 DD 3D 51 7A 5D 4A E7 7D 53 4E B3 B4 D5 D0 72 26 DD 3D 51 7A 5D 4A E7 7D 53 4E B3 B4 D5 D0 72FD 20 B5 58 F2 3B AE 06 D7 17 B5 FD DB 02 22 DC FD 20 B5 58 F2 3B AE 06 D7 17 B5 FD DB 02 22 DC2A BD B8 D8 9B ED B7 D1 B0 83 F6 8F 98 69 BD 8E 2A BD B8 D8 9B ED B7 D1 B0 83 F6 8F 98 69 BD 8E9B 0D 44 71 ED 86 A6 80 1A A6 39 5D E7 88 E0 CE 9B 0D 44 71 ED 86 A6 80 1A A6 39 5D E7 88 E0 CE0B F5 C5 F9 D6 5C 27 35 A0 F0 65 93 FE CA D3 DA 0B F5 C5 F9 D6 5C 27 35 A0 F0 65 93 FE CA D3 DA42 AC 0A 98 AB B9 49 70 28 85 8C 46 31 B7 3F 9D 42 AC 0A 98 AB B9 49 70 28 85 8C 46 31 B7 3F 9D28 32 19 5E 45 7C 79 36 81 D6 04 9C 40 3E AA FA 28 32 19 5E 45 7C 79 36 81 D6 04 9C 40 3E AA FAAA AD 19 1A 78 82 4C D2 52 06 0B E4 05 CF 4A 39 AA AD 19 1A 78 82 4C D2 52 06 0B E4 05 CF 4A 3997 41 FD 43 AB 90 A3 0C 20 59 C7 EF DD 5B 70 0E 97 41 FD 43 AB 90 A3 0C 20 59 C7 EF DD 5B 70 0E82 79 54 AD 5E 2D 30 95 54 97 C6 10 4F CA 20 59 82 79 54 AD 5E 2D 30 95 54 97 C6 10 4F CA 20 59

Figure 10 The valid time and the serial number of certificates inCFSSL

It is hard to predict the output of random number generatorsof operation systems so far

63 NSS NSS is a set of libraries supporting cross-platformnetwork security services and developed by Mozilla Wereviewed the source codes of NSS 338 to find the way that the

valid time and serial number of certificated are generatedThetool creating certificates is in 119899119904119904119888119898119889119888119890119903119905119906119905119894119897119888119890119903119905119906119905119894119897119888

From Figure 11 we can see that the default value ofldquonot beforerdquo is set as ldquocurrent timerdquo From Figure 12 ldquoserialnumberrdquo is not a random number ldquoLL USHRrdquo is a macrodefined in ldquoprlonghrdquo to logically shift the second operandright by the number of bits specified in the third operandldquoPRTimerdquo is a 64-bit structure in microseconds Thus ldquoserialnumberrdquo is 64-bit ldquocurrent timerdquo shifted right by 19 bitsObviously we can predict ldquoserial numberrdquo easily

64 Botan Botan is an open source cryptography librarywritten in C++ We reviewed the source codes of Botan 26to find the way that the valid time and serial number ofcertificated are generated

Form Figure 13 the default value of ldquonot beforerdquo(start time in Figure 13) is set as ldquocurrent timerdquo Theldquoserial numberrdquo is the second parameter of the functionldquosignrequestrdquo ie ldquorng()rdquo which is defined in the header filebotansrccliclih in Figure 14

There are 5 kinds of random number generators inBotan which is dependent on the command parametersldquorng ndashsystem ndashrdrand ndashauto ndashentropy ndashdrbg ndashdrbg-seed=


Step 1 Attacker applies for a certificate to target CA and records the submitting time Ts in secondsStep 2 Attacker receives the certificate checks the time Tb of ldquonot beforerdquo in certificate and the time Ta of ldquonot afterrdquoand computes 119879d = 119879b minus 119879s and 119879v = 119879a minus 119879bStep 3 According to the Algorithms 1 and 2 attacker brutes force the every 100-nanosecond (for Windows) or everymicrosecond (for Linux) in Tb to find which time seed Tbn is used to generate the certificate (totally 10

7 or 106)Step 4 Attacker selects a future time Tf as the time of ldquonot beforerdquo of the target forged certificateStep 5 Attacker randomly selects a value of m which satisfies the condition119879f(119894119899119904119890119888119900119899119889119904) le 119879bn + 100144119898(119894119899100119899119886119899119900119904119890119888119900119899119889119904) lt 119879f + 1(119894119899119904119890119888119900119899119889119904)(for Windows XP)

119879f(119894119899119904119890119888119900119899119889119904) le 119879bn + 1008119898(119894119899119898119894119888119903119900119904119890119888119900119899119889119904) lt 119879f + 1(119894119899119904119890119888119900119899119889119904)(for Ubuntu)Step 6 According to the Algorithms 1 and 2 attacker computes the candidate serial numberswith the seed of Tf (in seconds) and Tbn+100144m(in 100nanoseconds) or Tbn+1008m(in microseconds)Step 7 Attacker uses the candidate serial numbers Tf as ldquonot beforerdquo and 119879f + 119879v as ldquonot afterrdquoto generate forged certificates according to the Stevensrsquos method [3]Step 8 Attacker submits the application at the time 119879f minus 119879d and get the signature of the certificate

Algorithm 4 Guess the serial number

Figure 11 The valid time of certificates in NSS

Figure 12 The serial number of certificates in NSS

Figure 13 The valid time and the serial number of certificates inBotan

Figure 14 The definition of rng() in Botan

lowastbytesrdquo The parameter ldquondashsystemrdquo means using the RNGof operation systems such as dev(u)random in Linux-likesystems The parameter ldquondashrdrandrdquo means using the instruc-tion RDRAND from Intel x86 on-chip hardware randomnumber generator The parameters ldquondashautordquo and ldquondashentropyrdquouse the system RNG or else a default entropy source to inputseeds The parameter ldquondashdrbgrdquo uses a PRNG complied withNIST SP 800-90A whose seed is designated by ldquondashdrbg-seedrdquoThere are no known security vulnerabilities of thoseRNGs forpredicting their outputs so far

65 Fortify Fortify is an open source application supportedby the CA Security Council We reviewed the source codesof Fortify 1017 to find the way that the valid time and serialnumber of certificated are generated

Form Figure 15 the default value of ldquonot beforerdquo isset as ldquocurrent timerdquo The ldquoserial numberrdquo is generated bythe function ldquocryptogetRandomValuesrdquo which is from WebCrypto API and is a cryptographically strong RNG

Concluding the above analysis on OpenSSL EJBCACFSSL NSS Botan and Fortify we can compare the waygenerating valid time and serial number of certificates inTable 5

7 Conclusion

In the paper we found the vulnerability during OpenSSLrsquosgenerating the serial number of X509 certificates It ispossible to forge certificates based on the method presentedby Stevens Similarly EJBCA and NSS have the same vulner-ability among other 5 open source libraries

Although MD5 has been replaced by CAs now with thedevelopment of technology new attacks for current hashalgorithm adopted by CAs such as SHA-256 will probablyoccur in the future If the chosen-prefix collision of somehash algorithm occurs the threat will work again probablyIn that case attackers still need to predict the value of fields


Table 5 The comparison of 6 open source libraies

Programming Language Not Before Serial NumberIs random Is predictable

OpenSSL C current time radic radic

EJBCA Java current time - 10minutes radic radic

CFSSL go current time radic times

NSS C current time times radic

Botan C++ current time radic times

Fortify Typescript current time radic times

Figure 15 The valid time and the serial number of certificates inFortify

controlled by CAs in order to construct forged certificatesThus the randomness of the serial number is important forCAs too

Data Availability

The data used to support the findings of this study areincluded within the article

Conflicts of Interest

The author declares that they have no conflicts of interest

Acknowledgments

The project is supported by Key Research and DevelopmentPlan of Shandong Province China (NO2017CXGC0704)and Fundamental Research Fund of Shandong Academy ofSciences China (NO201812-16)

References

[1] X Wang X Lai D Feng H Chen and X Yu ldquoCollisions forhash functions md4 md5 HAVAL-128 and RIPEMDrdquo IACRCryptology ePrint Archive vol 199 2004

[2] X Wang and H Yu ldquoHow to break MD5 and other hashfunctionsrdquo inAdvances in Cryptology - EUROCRYPT 2005 24thAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques vol 3494 of Lecture Notes inComputer Science pp 19ndash35 Springer Berlin Germany 2005

[3] M Stevens A Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and colliding X509 certificates for differentidentitiesrdquo inAdvances in Cryptology - EUROCRYPT 2007 26thAnnual International Conference on theTheory and Applicationsof Cryptographic Techniques vol 4515 pp 1ndash22 Springer BerlinBarcelona Spain 2007

[4] M Stevens A Sotirov J Appelbaum et al ldquoShort chosen-prefix collisions for MD5 and the creation of a rogue CAcertificaterdquo in Advances in Cryptology - CRYPTO 2009 29thAnnual International Cryptology Conference vol 5677 pp 55ndash69 Santa Barbara CA USA 2009

[5] M Stevens A K Lenstra and B de Weger ldquoChosen-prefixcollisions for MD5 and applicationsrdquo International Journal ofApplied Cryptography vol 2 no 4 pp 322ndash359 2012

[6] J Appelbaum A Lenstra D Molnar et al ldquoShort chosen-prefix collisions for MD5 and the creation of a rogueCA certificaterdquo in Advances in Cryptology - CRYPTO 2009vol 5677 of Lecture Notes in Computer Science pp 55ndash69 Springer Berlin Heidelberg Berlin Heidelberg 2009httpwwwwintuenlhashclashrogue-ca

[7] Lab KasperskyThe Flame questions and answers 2012[8] M Fillinger andM Stevens ldquoReverse-engineering of the crypt-

analytic attack used in the flame super-malwarerdquo in Advancesin Cryptology - ASIACRYPT 2015 - 21st International Conferenceon the Theory and Application of Cryptology and InformationSecurity Part II vol 9453 pp 586ndash611 Springer HeidelbergAuckland New Zealand 2015

[9] Netcraft ldquo14 of SSL certificates signed using vulnerableMD5 algorithmrdquo httpsnewsnetcraftcomarchives2009010114 of ssl certificates signed using vulnerable md5 algorithmhtml

[10] F Strenzke ldquoAn analysis of opensslrsquos randomnumber generatorrdquoin Advances in Cryptology - EUROCRYPT 2016 - 35th AnnualInternational Conference on theTheory andApplications of Cryp-tographic Techniques pp 644ndash669 Springer Berlin Germany2016

[11] S H Kim D Han and D H Lee ldquoPredictability of androidopensslrsquos pseudo random number generatorrdquo in Proceedings of


the 2013 ACM SIGSAC Conference on Computer and Communi-cations Security CCSrsquo13 pp 659ndash668 Berlin Germany 2013

[12] F Dorre andV Klebanov ldquoPractical detection of entropy loss inpseudo-random number generatorsrdquo in Proceedings of the 2016ACM SIGSAC Conference on Computer and CommunicationsSecurity pp 678ndash689 Germany October 2016

[13] T Yoo J-S Kang and Y Yeom ldquoRecoverable random numbersin an internet of things operating systemrdquo Entropy vol 19 no3 p 113 2017

[14] S Yilek E Rescorla H Shacham B Enright and S SavageldquoWhen private keys are public results from the 2008 debianopenssl vulnerabilityrdquo in Proceedings of the 2009 9th ACMSIGCOMM Internet Measurement Conference IMC 2009 pp15ndash27 Chicago Illinois IL USA 2009

[15] S H Kim D Han and D H Lee ldquoPractical effect of thepredictability of android openSSL PRNGrdquo IEICE Transactionson Fundamentals of Electronics Communications and ComputerSciences vol E98A no 8 pp 1806ndash1813 2015

[16] M Stevens ldquohashclash projectrdquo httpsgithubcomcr-marc-stevenshashclash

[17] M Stevens P Karpman and T Peyrin ldquoFreestart collision forfull SHA-1rdquo in Advances in Cryptology ndash EUROCRYPT MFischlin and J S Coron Eds vol 9665 pp 459ndash483 SpringerBerlin Berlin Heidelberg 2016

[18] OpenSSL httpswwwopensslorg[19] OpenCA httpswwwopencaorgprojectsopenca[20] CVE-2005-2946 httpcvemitreorgcgi-bincvenamecgi[21] EJBCA httpswwwejbcaorg[22] CFSSL httpsgithubcomcloudflarecfssl[23] nss httpsdevelopermozillaorgen-USdocsMozillaProjects

NSS[24] botan httpsgithubcomrandombitbotan[25] Fortify httpsgithubcomPeculiarVenturesfortify

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


chosen-prefix collision of other hash algorithms does notoccur at present the other is to add a sufficient amount offresh randomness at the appropriate fields (such as serialnumber) in order to prevent attackers frompredicting ifMD5cannot be replaced at once [5] In the wild however manyvalid certificates still use MD5 [9] In addition we grabbed180000+ certificates from Internet while 5000+ certificatesare based on MD5 in other words 28 certificates

In this paper we will focus on whether the randomnessof some fields in certificates is enough to prevent attackersfrom predicting Since the detailed codes of business CAsare not public we review the way of generating certificatesby open source software OpenSSL to find how to predictthe values of some fields in certificates OpenSSL uses apseudo random number generator (PRNG) to output ran-dom numbers Some literatures related to the security of thePRNGhave been proposed [10ndash15]The security of OpenSSLrsquosPRNG in Android and Debian has been reported in [1014] A theory analysis of OpenSSLrsquos PRNG was presented in[10] However it is not clear how the PRNG works in theprocedure of generating X509 certificates Furthermore wealso investigated generating certificates in other open sourcelibraries like EJBCA CFSSL NSS Botan and Fortify

In this paper we have three contributions as follows

(1) We find a vulnerability of OpenSSL that the field ldquonotbeforerdquo in certificates leaks the time of generatingcertificates which is the seed of generating the fieldldquoserial numberrdquo so that it is possible to predict thevalue of ldquoserial numberrdquo

(2) We give the predicting method for the field ldquoserialnumberrdquo and forge certificates based on the proposedmethod and Stevensrsquos method

(3) We investigate five other open source libraries andfind similar vulnerability in two libraries EJBCA andNSS

The paper is organized as follows In Section 2 somepreliminaries are introduced and the problems solved by thepaper are defined Section 3 reviews the source codes ofOpenSSL about generating X509 certificates Then Section 4proposes a method predicting the key fields of certificatesSome countermeasures are given in Section 5 and Section 6investigates other open source libraries Finally Section 7concludes the paper

2 Preliminaries

In X509 certificates the signature of CA is the mostimportant part to prevent from forging Any modificationof contents in certificates would make the change of CArsquossignature in other words the change of Hash value If auser Arsquos certificate has existed we cannot forge the certificatedirectly because it needs to construct the second preim-age of hash value of the certificate However we can useother user Brsquos identity to apply a certificate for CA andgenerate a chosen-prefix collision pair which can forge Arsquoscertificate

Table 1 The overview of collision complexities

MD5identical-prefix chosen-prefix216 (2009 [4]) 239 (2009 [4])

SHA-1identical-prefix chosen-prefix263 (2017 [17]) 277 (2012 [5])

21 Chosen-Prefix Collision Attack of MD5 According tothe chosen-prefix collision the prefixes p and p1015840 of twomessage blocks are chosen Then the collision pair s ands1015840 is generated so that 1198721198635(119901119904119889) = 1198721198635(11990110158401199041015840119889) issatisfied for any arbitrary suffix d The two prefixes p andp1015840 must be of equal length and their length is a multiple ofthe MD5 message block size Otherwise padding messagemust be added The computing complexity of the attack is119874(239) [4 5] and a program was presented by Stevens [16]For attackers the method can be applied to forge certificatessuccessfully

Before that identical-prefix collision had been studiedwhich is easier to be constructed than chosen-prefix collisionAlthough identical-prefix collision can be used to forgecertificates the kind of forgery is meaningless in practicalattacks because the userrsquos identity is in the prefix and cannotbe changed

The overview of collision complexities is in Table 1 Wecan see the chosen-prefix collision of MD5 is feasible incomputing while the chosen-prefix collision of SHA-1 isunfeasible so far But in the near future a real case of chosen-prefix collision of SHA-1 may be found when the attack willbe feasible

22 X509Certificates To forge a certificate we need to knowwhich part of certificate is as the prefix and which part ofcertificate the collision pair is placed on The data structureof X509 certificate is in Table 2

According to the chosen-prefix collision attack the gen-erating collision pair is like random number while only thefield ldquosubject public key infordquo is the analogy with randomnumberThus the collision pair constructed by chosen-prefixcollision attack is placed in the field ldquosubject public key infordquo(Table 2) and the fields from ldquoversion numberrdquo to ldquopublickey algorithmrdquo of the certificate are as prefix chosen Thenan attacker must know the CA will chose which value to fillthe fields in advance because before requiring the certificatefor the CA heshe must construct a collision pair and thensubmit the generated ldquopublic key infordquo Among these fieldsthe values of ldquoserial numberrdquo and ldquonot valid beforerdquo need tobe forecast because they are controlled by CAs while othersare easy to obtain

23 The Procedure of Forging a Certificate To forge Arsquoscertificate we need to generate a chosen-prefix collision pairto construct two certificates one of which is in the name of Aand the other is in the name of BThen we submit Brsquos identity



























Start

choose atarget CA







success

N

Y






0 s p q




end for1198981198890= 1198781198671198601(119898119889i||1198981198890)

return md0 s p q









0of







else


else






















Windows 7 1ms 119874(103)

Ubuntu 1404 1ms 119874(103)






5 Countermeasure






6 Other Libraries




































7 Conclusion














Data Availability




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




























Start

choose atarget CA







success

N

Y






0 s p q




end for1198981198890= 1198781198671198601(119898119889i||1198981198890)

return md0 s p q









0of







else


else






















Windows 7 1ms 119874(103)

Ubuntu 1404 1ms 119874(103)






5 Countermeasure






6 Other Libraries




































7 Conclusion














Data Availability




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia









0of







else


else






















Windows 7 1ms 119874(103)

Ubuntu 1404 1ms 119874(103)






5 Countermeasure






6 Other Libraries




































7 Conclusion














Data Availability




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia














Windows 7 1ms 119874(103)

Ubuntu 1404 1ms 119874(103)






5 Countermeasure






6 Other Libraries




































7 Conclusion














Data Availability




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia































7 Conclusion














Data Availability




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia













Data Availability




Acknowledgments


References
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia














RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


The Prediction of Serial Number in OpenSSL’s X.509 Certificate

Documents

Transcript of The Prediction of Serial Number in OpenSSL’s X.509 Certificate