000027358 - Does RCM have any vulnerabilites by using MD5 for referencing objects in the administration console?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000027358
Applies ToRSA Certificate Manager 6.8
RSA Certificate Manager (RCM)
Message-Digest Algorithm (MD5)
IssueDoes RCM have any vulnerabilites by using MD5 for referencing objects in the administration console?
All certificates used in RCM use the MD5 number for reference
Web sites regarding MD5 vulnerability:

http://www.win.tue.nl/hashclash/rogue-ca/

http://www.rsa.com/blog/blog_entry.aspx?id=1411

http://broadcast.oreilly.com/2008/12/the-sky-is-not-falling-on-toda.html
ResolutionUsing the MD5 hash as a reference number for the certificates created will not cause any vunerability due to weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash known as an MD5 "collision".

Since RCM only uses the MD5 hash as a reference number for the nameing of object in the database, there is no trust chain to exploit as shown with the recent MD5 vunerability.

For information on the MD5 vunerability with Root CAs, see solution What algorithm does RCM used to sign the certificates? .
Legacy Article IDa44051

Attachments

    Outcomes