The clock is running on Windows administrators to sweep out MD5 implementations before a February 2014 patch from Microsoft slams the door shut on the broken, aged crypto algorithm.
Microsoft released a pair of advisories yesterday in addition to its regular Patch Tuesday security updates alerting users to the fact it would in six months restrict the use of digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program. Admins should use the leeway to find any systems or applications relying on MD5 and determine whether the patch will break anything and otherwise impact their environments.
The second advisory announced the optional availability of network level authentication (NLA) as an authentication method that can be used during Remote Desktop Protocol sessions. NLA adds a layer of security to RDP sessions by requiring that the user be authenticated to the host server before creation of a session.
“Microsoft seems to be going after less secure encryption techniques, and that’s a good thing for Microsoft to start eliminating them from the landscape, especially MD5,” said Lamar Bailey, director of security research and development at Tripwire. “I also like the way they are releasing them as optional right now. [The MD5 patch] will be pushed out live in February, so this gives customers a chance to determine if it’s going to break anything.”
When the patch is pushed universally in February, MD5 hashes will no longer be accepted among Microsoft root certificates. The change applies only to certificates used for server authentication, code signing and time stamping, Microsoft said, adding that it would not block other uses of MD5, and that it would allow for signed binaries that were signed before March 2009.
Customers need to determine, in the meantime, which services are still using MD5 crypto and switch to a stronger algorithm such as the SHA2 family. Weaknesses in MD5 were identified as early as the mid-1990s and research demonstrating collisions was presented in 2004 and 2005. In 2008, practical collision attacks including one where an attacker could spoof a trusted root certificate authority were also demonstrated, leading CERT late in that year to release vulnerability note that sounded the death knell for MD5.
Yet, vulnerability scanners and penetration testers continue to find MD5 inside organizations today and flag them for weak cryptography. The problem is that is that in order for users to change crypto on their servers, they have to manually edit the registry, which can be a chore.
“I’m all for changing it; it should be gone and we see it in customer sites all the time,” Bailey said. “But we have to make it easier to change it. It’s like if you get a recall notice from a car manufacturer that says ‘If you have this spark plug, bring your car in for servicing.’ I don’t know what spark plugs my car is running. I have to dive under the cover to figure out if I have what they’re saying is bad.”
Experts say most production servers and webservers hosting production websites are likely not running MD5; it’s second-tier development servers, for example, that were spun up years ago and still store sensitive data that are the outlying issue here—and a tempting target for a hacker. With MD5 broken for so long, enough attacks have been made public and enough advances have been made in processor speeds that cracking MD5 crypto isn’t likely that much of a barrier for an attacker.
Ross Barrett, senior manager of security engineering with Rapid7, said that attackers can use stolen certificates to redirect traffic or inject malware.
“It’s a bit of a heavy-handed attack to just steal credit cards, but if you have a national security program and you’re sweeping for anyone you can get at, this might justify the cost and effort behind this type of attack,” Barrett said. “Any crypto [attack] relies on the complexity of generating the hash versus the difficulty of creating a collision. This can be facilitated as we get more powerful computers and the technology gets stronger to do so. Plus you have a black market industry building computers suited for doing lots of math, like cracking hashes and generating collisions.”
Tripwire’s Bailey, for example, estimates that 30 percent of the customers he deals with are still running MD5 somewhere in their environments.
“We see it with a lot of homegrown systems and apps where the team that worked on it built it years ago and may not be there anymore. They built a custom app running MD5 crypto and said that was good enough because they were internal. Well it’s not.”
This isn’t Microsoft’s first move against weak cryptographic schemes. Last October, it released a mechanism organizations could use to find RSA certificate key lengths shorter than 1024. In June, anything shorter was considered untrusted and was revoked. Microsoft, in fact, urged customers to move to 2048-bit or higher keys.
“The test will be for the end user that this is coming and it’s time to get rid of it in the environment,” Bailey said. “And Microsoft is testing too whether any of its customers push back and need more time. If February rolls around and it’s not a mandatory update, that’s probably what happened. I don’t remember Microsoft giving customers such a long runway on this kind of change. They must think [MD5] is out there more than we do to give customers that long of a runway of time.”