Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed

CCC MD5 collision demo

The Computer Chaos Convention has spawned an example of how MD5 collisions can be used to create a rogue CA cert that has the same MD5 as a valid CA cert.
The example is interesting but only affects CA Certs that rely on the MD5 checksumming algorithm for the digital signature. This is the minority and includes these CAs as of 2008.

RSA Data Security

MD5 has been known to be weak for many years but this is a good exemplification, however the method that the team used for finding the collision has not been made public yet. There has already been a lot of work leading up to this such as the hashclash project and work by previous work by Xiaoyun Wang.

The obvious implication for Oracle is that Application passwords should not use MD5 especially since parallel computing using GPU/CPU combined makes collision calculation a much easier task as demonstrated by CUDA . This has been known for a while but since there are still application passwords using MD5, repetition is required.

The real answer is SHA2 (256 etc) and in the future SHA3 .

Given that Oracle does not yet support any of the SHA2 algorithms and SHA1 via DBMS_CRYPTO has been shown to have similar problems security conscious Oracle folks will have to use both MD5 and SHA1 together in order to gain secure integrity checking. See this post from a while back for more detail.

As a piece of trivia did you know that the CCC was initiated by folks sitting at the same table that Kommune 1 was also formed. The same Kommune 1 that Hendrix visited in the late sixties. Apparently this table has gone missing, not sure what it was made of, in case you see it, maybe Oak or similar material. It will probably turn up somewhere. Anyhow I can recommend the CCC paper’s description of CA concepts so enjoy the read and have a Happy New Year.

Leave a Reply

You must be logged in to post a comment.