, SecurityFocus 2008-12-30
An international group of security researchers and academic cryptographers urged browser makers and certificate authorities on Tuesday to drop support for digital signatures based on MD5 hashing, after they claimed to have successfully attacked the trust infrastructure of the Internet by creating a fake, but valid, certificate.
The research presented at the 25th Chaos Communications Conference in Berlin, Germany builds a practical attack against the Internet public key infrastructure (PKI) based on already-known weaknesses in the design of MD5 hash functions. Using the techniques, the researchers claimed to have created a rogue certificate authority that could distribute fake Secure Socket Layer (SSL) certificates that all popular browsers would treat as legitimate.
If online criminals duplicated the work, they could use their own rogue certificate authority along with a man-in-the-middle attack to create virtually undetectable phishing schemes that could collect sensitive information normally protected by SSL encryption, the researchers said.
"The major browsers and Internet players such as Mozilla and Microsoft have been contacted to inform them of our discovery and some have already taken action to better protect their users," Arjen Lenstra, the head of the Laboratory for Cryptologic Algorithms at the Swiss Federal Institute of Technology at Lausanne (EPFL), said in a statement. "The only objective of our research was to stimulate better Internet security with adequate protocols that provide necessary security."
In addition to Lenstra, the research group included independent security researcher Alexander Sotirov, Marc Stevens of the Cryptology Group at Centrum, Wiskunde and Informatica (CWI), Jacob Appelbaum of The Tor Project, David Molnar of the University of California at Berkeley, Dag Arne Osvik of the Swiss Federal Institute of Technology at Lausanne, and Benne de Weger of Eindhoven University of Technology in the Netherlands.
To limit any possible malicious use of the certificate, the group restricted the validity of the certificate to the span of a single month in 2004.
Both Microsoft and Mozilla issued statements on Tuesday that stressed that the vulnerability exploited by the attack is not a browser issue, but a problem that needs to be mitigated by the six remaining certificate authorities that use the MD5 hash algorithm to generate certificates.
"This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," Microsoft said in its advisory. "Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm."
The researchers built on work published in 2004 and 2007, demonstrating weaknesses in a commonly-used hash algorithm known as MD5. Hash algorithms are typically used to reduce a large data file such as a Word document or e-mail message to a simple, if sometimes long, number that can be used to identify the data, in the same way that fingerprints are used to identify humans. A good hash function gives a completely different result if the original file is changed even slightly. A variety of encryption and security functions use hashes, from integrity checks and digital signatures to the secure communications and trust infrastructure of the Internet.
On the Web, hash algorithms are used to sign certificates used by online stores, banks and other security-sensitive sites to identify themselves and encrypt the communications channel between the site and its customers. Certificates are issued by certificate authorities (CAs), which are either trusted because they are a top-level, or root, authority or because they have been granted the ability to issue certificates by a root CA. All Web browsers maintain a list of trusted root certificate authorities as a way to verify certificates issued by those CAs. A certificate that appears to be issued by a trusted CA will be accepted as valid by all browsers.