Print 28 comment(s) - last by ipay.. on Jan 6 at 11:55 AM

Ever wanted to be an Intermediate Certificate Authority?

Speaking at the 25th annual Chaos Communication Conference (25C3) early last week, security researchers demonstrated the first known application of a years-old theoretical attack against the MD5 hashing algorithm used by companies like Verisign and Thawte to issue SSL certificates.

SSL certificates use hash codes generated by a variety of algorithms, including MD5, to verify their issuer’s identity. The hash code is an important feature of public-key cryptography, which SSL is based upon, as it is essential to protecting the secret, private code that CAs use to sign SSL certificates.

By exploiting a weakness specific to hashes generated with the MD5 algorithm – namely, that they are prone to “collisions”, or multiple inputs producing the same output – an attacker could derive a working private key from a single, regular SSL certificate, and then use that key to sign future SSL certificates with the original CA’s signature.

Security experts have known about the possibility for MD5 collisions since at least 2004. Until now, however, the vulnerability was dismissed as a theoretical possibility due to the amount of CPU time needed to attack a single hash for collisions. The 25C3 presenters claim they were able to run the attack in only four weekends, using a network of 200 PlayStation 3 game consoles at a cost of $657.

For about $2,000, said the presenters, an attacker could pull off a similar attack using Amazon’s cloud-computing EC2 service, and the attack would take about a day.

A successful attack would allow attackers to appoint themselves as an Intermediate Certificate Authority, and then generate trusted certificates without having to contact a real CA. The spoofed certificates could then be used to add the appearance of legitimacy to a phishing site designed to steal bank account passwords, for example.

While many CAs have moved on to the more secure SHA-1 or SHA-2 algorithms, a handful of issuers have not. Of the brands still using MD5, the researchers found approximately 97% of those certificates to be signed by Verisign-owned low-cost CA RapidSSL. Other companies using MD5 include FreeSSL, Thawte, and

Verisign announced that it will replace RapidSSL customers’ certificates free of charge.

“This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites,” said security researcher Alexander Sotirov, who worked with others from the U.S., the Netherlands, and Switzerland.

Sotirov’s website includes a detailed explanation of the attack, as well as samples of a real certificate and the rogue signing certificate derived from it.

Extended-Validation SSL certificates are immune to the attack due to the fact that they are forbidden from using MD5.

Microsoft reportedly downplayed the threat, noting that the researchers withheld important information that renders the attack “not repeatable”.

A blog post from Verisign’s Tim Callahan says his company applauds the team’s research, noting that their work was so secret that not even Verisign had access to the information before the 25C3 presentation.

Customers holding an MD5-signed SSL certificate will need to contact their CA to acquire and install a new certificate on their servers.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Not MD5 is real problem actually
By void5 on 1/5/2009 8:53:25 AM , Rating: 5
There is a lot of errors in this article. Its author definitely does not understand the problem (even if he bothered to read original paper).

1) ALL hash-functions are "prone to collisions" BY DEFINITION. The problem is how hard is to find one. "Good" hash functions with N bits of hash value are only "crackable" but brute force, that means 2^N operations for "find preimage for a particular hash" and 2^(N/2) for "find two different preimages with same hash" ("birthday attack"). And even "simply" finding collisions will not allow you to "crack" anything.

2) "By exploiting a weakness specific to hashes generated with the MD5 algorithm - namely, that they are prone to "collisions", or multiple inputs producing the same output - an attacker could derive a working private key from a single, regular SSL certificate" is UTTER BULLSHIT. This attack has NOTHING to do with private keys. It will not allow you to determine private key to any existing certificate.

3) Despite all the hype, main problem behind this attack is NOT MD5. According to the researchers, their version of attack needs over 2^51 operations (which is very good result considering even simple "birthday attack" for an "ideal" 128-bit hash should need at least 2^64). However, simply using randomized serial numbers for certificates makes ANY type of "birthday attack" unfeasible, leading to about 2^128 operations EVEN for "insecure" MD5 (yes, it probably will be a little lower than 128, but that is not the point). While moving to SHA-1 without fixing serial numbers will get us at most 2^80. Isn't that obvious where the real problem is? As usual, it is not algorithm, it is its not-very-thought-out usage by some CAs.

Obviously, there is no need for existing MD5-signed certificate owners to hurry for new certificates (and this is even explicitly noted in original paper).

Let's not even talk about how "securely" are trusted root certificates are installed and used in modern browsers and OSes...

"Intel is investing heavily (think gazillions of dollars and bazillions of engineering man hours) in resources to create an Intel host controllers spec in order to speed time to market of the USB 3.0 technology." -- Intel blogger Nick Knupffer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki