Why Flame md5 collision was necessary

Posted September 6, 2017 | View revision history

I read Countdown to Zero Day (and really enjoyed it!) but I still didn’t have a firm grasp on why the NSA needed to forge their own certificate when they already had a valid code-signing certificate from Microsoft. This crypto stackexchange page and this TrailOfBits slide deck were the most helpful resources for me to finally understand why.

• They got their hands on a signed windows certificate that could sign code. But the problem was that it could only sign code for Window XP – it had an extension in it that blocked it from signing Vista or Windows 7 code. So that’s why they needed to make a forged certificate – one that had the signature stolen from the legit cert, but the extension disabled, so that it could sign code for Windows 7.
• The only code that they straight-up copied from the legit cert was the md5 signature and some bits before it (including the extension they wanted to disable). The rest was their own. They put their own RSA signing key into their certificate. They modified a block after the key which made Windows ignore the extension they needed to disable. The trick was predicting the serial number and the validity period. They had a 1-second window for predicting the validity period, and a 1-ms period for predicting the serial number.

This slide from the second link, a TrailOfBits slide deck, is what helped me the most:

The whole slide deck is worth a read-over. I admit I’m too novice to understand the importance of near collision blocks and birthday bits.

Tags: security

Dave Eargle is a Senior Consultant in Cybersecurity Assessment at Carve Systems. More about the author →

This page is open source. Please help improve it.

Edit