Print 28 comment(s) - last by ipay.. on Jan 6 at 11:55 AM

Ever wanted to be an Intermediate Certificate Authority?

Speaking at the 25th annual Chaos Communication Conference (25C3) early last week, security researchers demonstrated the first known application of a years-old theoretical attack against the MD5 hashing algorithm used by companies like Verisign and Thawte to issue SSL certificates.

SSL certificates use hash codes generated by a variety of algorithms, including MD5, to verify their issuer’s identity. The hash code is an important feature of public-key cryptography, which SSL is based upon, as it is essential to protecting the secret, private code that CAs use to sign SSL certificates.

By exploiting a weakness specific to hashes generated with the MD5 algorithm – namely, that they are prone to “collisions”, or multiple inputs producing the same output – an attacker could derive a working private key from a single, regular SSL certificate, and then use that key to sign future SSL certificates with the original CA’s signature.

Security experts have known about the possibility for MD5 collisions since at least 2004. Until now, however, the vulnerability was dismissed as a theoretical possibility due to the amount of CPU time needed to attack a single hash for collisions. The 25C3 presenters claim they were able to run the attack in only four weekends, using a network of 200 PlayStation 3 game consoles at a cost of $657.

For about $2,000, said the presenters, an attacker could pull off a similar attack using Amazon’s cloud-computing EC2 service, and the attack would take about a day.

A successful attack would allow attackers to appoint themselves as an Intermediate Certificate Authority, and then generate trusted certificates without having to contact a real CA. The spoofed certificates could then be used to add the appearance of legitimacy to a phishing site designed to steal bank account passwords, for example.

While many CAs have moved on to the more secure SHA-1 or SHA-2 algorithms, a handful of issuers have not. Of the brands still using MD5, the researchers found approximately 97% of those certificates to be signed by Verisign-owned low-cost CA RapidSSL. Other companies using MD5 include FreeSSL, Thawte, and

Verisign announced that it will replace RapidSSL customers’ certificates free of charge.

“This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites,” said security researcher Alexander Sotirov, who worked with others from the U.S., the Netherlands, and Switzerland.

Sotirov’s website includes a detailed explanation of the attack, as well as samples of a real certificate and the rogue signing certificate derived from it.

Extended-Validation SSL certificates are immune to the attack due to the fact that they are forbidden from using MD5.

Microsoft reportedly downplayed the threat, noting that the researchers withheld important information that renders the attack “not repeatable”.

A blog post from Verisign’s Tim Callahan says his company applauds the team’s research, noting that their work was so secret that not even Verisign had access to the information before the 25C3 presentation.

Customers holding an MD5-signed SSL certificate will need to contact their CA to acquire and install a new certificate on their servers.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: 200 PS3's cost how much
By Sagath on 1/4/2009 7:37:05 PM , Rating: 2
I think we are all skipping the main point of the article.

Yes, they cracked it on 200xPS3 over the course of (8?) days. However, tfa states that by RENTING a supercomputer/cloud computing for ~$2000 (or using a botnet? hrmm...) you too can do the same in only one day.

The cost isnt the issue at hand regardless, be it 200 PS3's or one supercomputer. TFA fact is MD5 hashes are no longer secure, and they are telling people so.

RE: 200 PS3's cost how much
By darkpaw on 1/4/2009 9:00:31 PM , Rating: 1
Yup, botnet is the biggest threat. People that would want to use this sort of thing maliciously already have networks of tens of thousands of PC's waiting to do their dirt work. It probably wouldn't take long at all to generate one of these on a 50k pc botnet.

Its good that most vendors have phased these out, but the ones that haven't account for a pretty large chunk. Especially in the small business market since the named providers are typically the ones that come with web hosting. Many of those businesses had their websites setup by another company or an employee that knows a little about web tech and don't know the first thing about maintaining them or what kind of certificate they are using.

I think overall this will be a good thing though. Its been years since it was revealed this was possible, but now that its been done it will force the companies to respond that have been dragging their feet.

RE: 200 PS3's cost how much
By Solandri on 1/4/2009 9:24:15 PM , Rating: 3
That's really a non-story. Encryption has always been about striking a balance between difficulty to crack and time to encrypt/decrypt. In the early-1980s, DES was widely used and touted as requiring 100+ years of computing time to crack. 100+ years using early-1980s computers. But its 56-bit key was about the limit of practicality for those early-1980s computers to generate and use.

Of course 10 years later computers had gotten fast enough that it could be cracked in less than a year. 5 years after that, computers had gotten fast enough that a network could crack it in less than a day.

So it was superseded by AES, which uses a 128-256 bit key. In time, computers will become fast enough to crack AES relatively quickly. And we'll switch to something better and with more bits but which is more CPU-intensive to encrypt/decrypt. I'm kinda surprised MD5 has lasted this long. It's almost 20 years old.

RE: 200 PS3's cost how much
By GaryJohnson on 1/5/2009 1:48:52 AM , Rating: 4
It'll be another 400 years till you can use 200 off-the-shelf game consoles to crack 256bit in 8 days (following Moore's Law).

RE: 200 PS3's cost how much
By jimmyjamesjimmy on 1/5/09, Rating: -1
RE: 200 PS3's cost how much
By jRaskell on 1/5/2009 1:18:02 PM , Rating: 2
Many stores STILL can't keep Wii's on the store shelves, so if anything finding and buying 200 PS3s is a LOT easier than finding and buying a comparable amount of Wii's.

RE: 200 PS3's cost how much
By ipay on 1/6/2009 11:55:46 AM , Rating: 2
Because the Wii lacks the massively parallel Cell processor that is required to perform this kind of brute-force attack.

"There is a single light of science, and to brighten it anywhere is to brighten it everywhere." -- Isaac Asimov

Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki