Why Flame md5 collision was necessary

Posted September 6, 2017 | View revision history

I read Countdown to Zero Day (and really enjoyed it!) but I still didn’t have a firm grasp on why the NSA needed to forge their own certificate when they already had a valid code-signing certificate from Microsoft. This crypto stackexchange page and this TrailOfBits slide deck were the most helpful resources for me to finally understand why.

  • They got their hands on a signed windows certificate that could sign code. But the problem was that it could only sign code for Window XP – it had an extension in it that blocked it from signing Vista or Windows 7 code. So that’s why they needed to make a forged certificate – one that had the signature stolen from the legit cert, but the extension disabled, so that it could sign code for Windows 7.
  • The only code that they straight-up copied from the legit cert was the md5 signature and some bits before it (including the extension they wanted to disable). The rest was their own. They put their own RSA signing key into their certificate. They modified a block after the key which made Windows ignore the extension they needed to disable. The trick was predicting the serial number and the validity period. They had a 1-second window for predicting the validity period, and a 1-ms period for predicting the serial number.

This slide from the second link, a TrailOfBits slide deck, is what helped me the most:

The whole slide deck is worth a read-over. I admit I’m too novice to understand the importance of near collision blocks and birthday bits.


David Eargle is an Assistant Professor at the University of Colorado Boulder in the Leeds School of Business. He earned his Ph.D. degree in Information Systems from the University of Pittsburgh. His research interests include human-computer interaction and information security. He has coauthored several articles in these areas using neurophysiological and other methodologies in outlets such as the Journal of the Association for Information Systems, the European Journal of Information Systems, the International Conference on Information Systems, and the Hawaii International Conference on System Sciences), along with the Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). More about the author →

This page is open source. Please help improve it.