Print 28 comment(s) - last by ipay.. on Jan 6 at 11:55 AM

Ever wanted to be an Intermediate Certificate Authority?

Speaking at the 25th annual Chaos Communication Conference (25C3) early last week, security researchers demonstrated the first known application of a years-old theoretical attack against the MD5 hashing algorithm used by companies like Verisign and Thawte to issue SSL certificates.

SSL certificates use hash codes generated by a variety of algorithms, including MD5, to verify their issuer’s identity. The hash code is an important feature of public-key cryptography, which SSL is based upon, as it is essential to protecting the secret, private code that CAs use to sign SSL certificates.

By exploiting a weakness specific to hashes generated with the MD5 algorithm – namely, that they are prone to “collisions”, or multiple inputs producing the same output – an attacker could derive a working private key from a single, regular SSL certificate, and then use that key to sign future SSL certificates with the original CA’s signature.

Security experts have known about the possibility for MD5 collisions since at least 2004. Until now, however, the vulnerability was dismissed as a theoretical possibility due to the amount of CPU time needed to attack a single hash for collisions. The 25C3 presenters claim they were able to run the attack in only four weekends, using a network of 200 PlayStation 3 game consoles at a cost of $657.

For about $2,000, said the presenters, an attacker could pull off a similar attack using Amazon’s cloud-computing EC2 service, and the attack would take about a day.

A successful attack would allow attackers to appoint themselves as an Intermediate Certificate Authority, and then generate trusted certificates without having to contact a real CA. The spoofed certificates could then be used to add the appearance of legitimacy to a phishing site designed to steal bank account passwords, for example.

While many CAs have moved on to the more secure SHA-1 or SHA-2 algorithms, a handful of issuers have not. Of the brands still using MD5, the researchers found approximately 97% of those certificates to be signed by Verisign-owned low-cost CA RapidSSL. Other companies using MD5 include FreeSSL, Thawte, and

Verisign announced that it will replace RapidSSL customers’ certificates free of charge.

“This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites,” said security researcher Alexander Sotirov, who worked with others from the U.S., the Netherlands, and Switzerland.

Sotirov’s website includes a detailed explanation of the attack, as well as samples of a real certificate and the rogue signing certificate derived from it.

Extended-Validation SSL certificates are immune to the attack due to the fact that they are forbidden from using MD5.

Microsoft reportedly downplayed the threat, noting that the researchers withheld important information that renders the attack “not repeatable”.

A blog post from Verisign’s Tim Callahan says his company applauds the team’s research, noting that their work was so secret that not even Verisign had access to the information before the 25C3 presentation.

Customers holding an MD5-signed SSL certificate will need to contact their CA to acquire and install a new certificate on their servers.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Just some numbers
By cbmeeks on 1/5/2009 8:00:00 AM , Rating: 1
OK, I bought a new PS3 (40gig) for $399. 200 x $399 = $79,800. Assuming he meant $657,000 like some of you think the op meant, then that would mean $657k / $399 = 1,646 PS3's. Assuming we are talking about the low-end PS3 because for something like this you need CPU more than hard drive (as in, no need for an 80 gig PS3, etc). So where does $657 or $657,000 come into play? Can you really rent 200 PS3's over a weekend? Seems like you would spend two weeks going around to video stores and explaining why you want to rent all of their PS3's.

As far as EC2, I would use the extra-high CPU instance @ $0.80/hour.

So for $2k / 24 hours (day) = 104 instances at 20 virtual compute units would give about 2083 compute units for one day for $2000. Not too bad.

On the other hand, $2k / 24 hours for the small instance (1 compute unit) would give you 833 instances with 833 compute units. So the extra-large instance would be the way to go. For that "$657", you could get 34 extra large instances and have 684 compute units for a day.

RE: Just some numbers
By abscoder on 1/5/2009 11:13:37 AM , Rating: 3
My initial thought was maybe they leased time on someones cluster or on an existing distributed network. <shrug>

RE: Just some numbers
By PrinceGaz on 1/5/2009 2:53:24 PM , Rating: 2
I doubt anyone interested in using this technique to produce a fake certificate would have to pay for the computing power needed as they probably have access to a botnet large enough to complete the task very quickly indeed.

Old News?
By Quiescent on 1/4/2009 10:21:04 PM , Rating: 3
Anyone ever thought of this as old news? Not that this article isn't new, but that MD5 has never been secure? And neither has anything else. I dunno, it may just be me. But, even my illiteracy in this subject hasn't stopped me from knowing that these things are very insecure and very exploitable. :/

RE: Old News?
By Rockjock51 on 1/4/2009 11:28:55 PM , Rating: 2
It is kind of old. Engadget talked about this 6 days ago.

Not MD5 is real problem actually
By void5 on 1/5/2009 8:53:25 AM , Rating: 5
There is a lot of errors in this article. Its author definitely does not understand the problem (even if he bothered to read original paper).

1) ALL hash-functions are "prone to collisions" BY DEFINITION. The problem is how hard is to find one. "Good" hash functions with N bits of hash value are only "crackable" but brute force, that means 2^N operations for "find preimage for a particular hash" and 2^(N/2) for "find two different preimages with same hash" ("birthday attack"). And even "simply" finding collisions will not allow you to "crack" anything.

2) "By exploiting a weakness specific to hashes generated with the MD5 algorithm - namely, that they are prone to "collisions", or multiple inputs producing the same output - an attacker could derive a working private key from a single, regular SSL certificate" is UTTER BULLSHIT. This attack has NOTHING to do with private keys. It will not allow you to determine private key to any existing certificate.

3) Despite all the hype, main problem behind this attack is NOT MD5. According to the researchers, their version of attack needs over 2^51 operations (which is very good result considering even simple "birthday attack" for an "ideal" 128-bit hash should need at least 2^64). However, simply using randomized serial numbers for certificates makes ANY type of "birthday attack" unfeasible, leading to about 2^128 operations EVEN for "insecure" MD5 (yes, it probably will be a little lower than 128, but that is not the point). While moving to SHA-1 without fixing serial numbers will get us at most 2^80. Isn't that obvious where the real problem is? As usual, it is not algorithm, it is its not-very-thought-out usage by some CAs.

Obviously, there is no need for existing MD5-signed certificate owners to hurry for new certificates (and this is even explicitly noted in original paper).

Let's not even talk about how "securely" are trusted root certificates are installed and used in modern browsers and OSes...

Nothing is unhackable...
By Motoman on 1/5/2009 11:26:22 AM , Rating: 3
...pending possibly true quantum computing, and my vote isn't cast for that one yet anyway.

It's not technically possible for anyone to say any code, cypher, encryption, etc. is unhackable. Anything can be hacked granted sufficient time and enough monkeys banging on typewriters. DRM being another blindingly obvious example.

In the case of encryption, it's really just going to be a perpetual cat-and-mouse game (pending wonders of physics via entangled pairs or something else in true quantum computing). Encryptors are just going to keep having to increase the size/complexity of their stuff to keep the "hack" time to levels that aren't reasonable with current technology. MD5 is just now hackable with current technology within a reasonable time frame - they need to punt it back out over the horizon where it would take a few years to hack it again.

By foolsgambit11 on 1/5/2009 7:15:43 PM , Rating: 2
The key to useful encryption (using current-style methodology) is in the ratio between the time needed to encrypt/decrypt using the encryption method versus the time needed to exploit the method.

Unfortunately for cryptography, thanks to distributed computing models, the cost/flop (and the availability of large computing systems) has gone way down. But the ability to handle the regular encrypt/decrypt for the encryption method still needs to be contained on a single system, for obvious security reasons. This means that the overhead of the encryption systems will have to get inconveniently large to overcome current cracking techniques. Additionally, distributed computing will probably grow in the future, further narrowing the gap between (en/de)crypt and cracking.

So people conducting sensitive business on computer networks will probably have to get used to slower and slower activity thanks to crypto workload growing faster than computing capability.

Another possible technique - instead of increasing the length of the encryption key, you can change keys more often. You run up against some dangers with key distribution and verification that way, though.

another use...
By swizeus on 1/5/2009 3:15:12 AM , Rating: 2
Well, at least it reveals one of the usage of Cloud Computing... You have hundreds and thousands dollars worth of server at your service to generate those collisions

200 PS3's cost how much
By yxalitis on 1/4/09, Rating: -1
RE: 200 PS3's cost how much
By yknott on 1/4/2009 6:13:37 PM , Rating: 5
Maybe you don't understand the implications of this. For about $2000, hackers can generate their own root certificate that mimics a valid certificate authority. This means that they can create their own SSL valid certificates that won't throw an error in a browser. You only need one guy to get this certificate, and then he can sell valid certs to anyone and everyone. The end user can't tell it's a fake certificate.

How do you use this? You create a man in the middle attack between a server such as and your target. Then you can sniff any of the traffic (passwords, cc numbers etc) that was previously more difficult to crack.

RE: 200 PS3's cost how much
By kamel5547 on 1/4/09, Rating: -1
RE: 200 PS3's cost how much
By HaZaRd2K6 on 1/4/09, Rating: 0
RE: 200 PS3's cost how much
By Solandri on 1/4/2009 9:11:25 PM , Rating: 4
I thought the $657 referred to the cost of "renting" 4 weekends worth of processing time on 200 PS3's? It's not like doing the calculations destroys the PS3's in the process.

RE: 200 PS3's cost how much
By murphyslabrat on 1/4/2009 10:16:21 PM , Rating: 2
not everyone made your assumption. In agreement with both the op and Mr. Kamel, I thought "...using a network of 200 PlayStation 3 game consoles at a cost of $657." referred to purchasing the consoles in question, and that a ",000" had been omitted.

The op attempted to make a jab at Tom for an assumed typo, and say that few would be willing to put out two thirds of a million for the opportunity to commit identity theft.

On the other hand, $2000 seems a more reasonable investment for the "production" of identities (Credit card/ID/Social Security numbers)that sell for (according to Symantec) about $15 each of pure profit.

RE: 200 PS3's cost how much
By on 1/5/09, Rating: -1
RE: 200 PS3's cost how much
By Yawgm0th on 1/4/2009 6:28:23 PM , Rating: 2
If it can be done on 200 PCs now, then in 3-5 five years a modest home network of desktop PCs will be able to do the same thing.

Regardless of the future, any cryptographic protocol that is crackable in less than a day by anything weaker than a mid-range super computer is inherently weak. MD5 is now officially weak, regardless of the cost of 200 PS3s.

RE: 200 PS3's cost how much
By FITCamaro on 1/4/09, Rating: 0
RE: 200 PS3's cost how much
By Lightnix on 1/4/2009 7:26:24 PM , Rating: 2
I was thinking that - if folding at home performance on graphics cards over that on the PS3 has any relevance to the subject, surely a network of a PC each with a few very high end graphics cards would do the job much faster for the price (say 4 4870X2's or GTX295's with this motherboard: than the network of PS3's?

RE: 200 PS3's cost how much
By Sagath on 1/4/2009 7:37:05 PM , Rating: 2
I think we are all skipping the main point of the article.

Yes, they cracked it on 200xPS3 over the course of (8?) days. However, tfa states that by RENTING a supercomputer/cloud computing for ~$2000 (or using a botnet? hrmm...) you too can do the same in only one day.

The cost isnt the issue at hand regardless, be it 200 PS3's or one supercomputer. TFA fact is MD5 hashes are no longer secure, and they are telling people so.

RE: 200 PS3's cost how much
By darkpaw on 1/4/2009 9:00:31 PM , Rating: 1
Yup, botnet is the biggest threat. People that would want to use this sort of thing maliciously already have networks of tens of thousands of PC's waiting to do their dirt work. It probably wouldn't take long at all to generate one of these on a 50k pc botnet.

Its good that most vendors have phased these out, but the ones that haven't account for a pretty large chunk. Especially in the small business market since the named providers are typically the ones that come with web hosting. Many of those businesses had their websites setup by another company or an employee that knows a little about web tech and don't know the first thing about maintaining them or what kind of certificate they are using.

I think overall this will be a good thing though. Its been years since it was revealed this was possible, but now that its been done it will force the companies to respond that have been dragging their feet.

RE: 200 PS3's cost how much
By Solandri on 1/4/2009 9:24:15 PM , Rating: 3
That's really a non-story. Encryption has always been about striking a balance between difficulty to crack and time to encrypt/decrypt. In the early-1980s, DES was widely used and touted as requiring 100+ years of computing time to crack. 100+ years using early-1980s computers. But its 56-bit key was about the limit of practicality for those early-1980s computers to generate and use.

Of course 10 years later computers had gotten fast enough that it could be cracked in less than a year. 5 years after that, computers had gotten fast enough that a network could crack it in less than a day.

So it was superseded by AES, which uses a 128-256 bit key. In time, computers will become fast enough to crack AES relatively quickly. And we'll switch to something better and with more bits but which is more CPU-intensive to encrypt/decrypt. I'm kinda surprised MD5 has lasted this long. It's almost 20 years old.

RE: 200 PS3's cost how much
By GaryJohnson on 1/5/2009 1:48:52 AM , Rating: 4
It'll be another 400 years till you can use 200 off-the-shelf game consoles to crack 256bit in 8 days (following Moore's Law).

RE: 200 PS3's cost how much
By jimmyjamesjimmy on 1/5/09, Rating: -1
RE: 200 PS3's cost how much
By jRaskell on 1/5/2009 1:18:02 PM , Rating: 2
Many stores STILL can't keep Wii's on the store shelves, so if anything finding and buying 200 PS3s is a LOT easier than finding and buying a comparable amount of Wii's.

RE: 200 PS3's cost how much
By ipay on 1/6/2009 11:55:46 AM , Rating: 2
Because the Wii lacks the massively parallel Cell processor that is required to perform this kind of brute-force attack.

RE: 200 PS3's cost how much
By ccmfreak2 on 1/5/2009 8:40:34 AM , Rating: 1
Are you kidding me??? To be able to intercept potentially thousands of bank accounts, I'd say this is a rather modest cost. What if Bank of America or Wells Fargo were using MD5 on their sites. Tens of thousands of people access these sites every day! And then their's PayPal with thousands of other users who (like myself) link their PayPal account to their bank account, making a quick transfer of funds a breeze! Although many sites don't use MD5 anymore, I'd say this is still a big deal.

By excrucio on 1/4/09, Rating: -1
"I mean, if you wanna break down someone's door, why don't you start with AT&T, for God sakes? They make your amazing phone unusable as a phone!" -- Jon Stewart on Apple and the iPhone

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Laptop or Tablet - Which Do You Prefer?
September 20, 2016, 6:32 AM
Update: Samsung Exchange Program Now in Progress
September 20, 2016, 5:30 AM
Smartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki