Security Intelligence Operations

Ubuntu has released a security notice and updated packages to address the weak MD5 cryptographic algorithm Certification Authority certificate spoofing attacks.

Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI) that is used to issue digital signatures and certificates for secure websites.  The researchers are presenting the weakness December 30, 2008, at the 25th Chaos Communication Congress (25C3) conference in Berlin, Germany.

The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function.  Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates.  Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm.  Root CAs that do not rely on the weak MD5 algorithm cannot be impersonated using this attack.

The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers.  Successful attacks could allow attackers to spoof any websites, including banking and e-commerce websites, that are secured using the HTTPS protocol and that rely on a root CA using the weak MD5 algorithm.  Attack types could include spoofing, phishing, code signing, e-mail security, and other trust-related attacks.

Reports indicate that the researchers were able to create a successful attack using test digital certificates and a cluster of 200 Sony PlayStation 3 gaming consoles.  The researchers state that the MD5 collision attack is not easy to achieve, limiting the pool of potential attackers.  However, because of the nature of PKI, one maliciously generated root CA could be used to generate a multitude of malicious certificates for any number of malicious websites.  The proof-of-concept demonstration at 25C3 may encourage root CAs that still rely on MD5 to migrate to more secure algorithms, such as the SHA-1 or SHA-2 algorithm. 

The affected CAs have not been disclosed by the researchers; however, reports indicate that at least six CAs are using the weak algorithm.

The attack is staged by using MD5 collisions.  This term refers to two certificates for which the MD5 hash is the same.

Cisco has released a security response to address Cisco bug IDs CSCsw88068 and CSCsw90626 at the following link: cisco-sr-20090115-md5

Entrust has released a knowledge base article at the following link: 7690

Microsoft has released a security advisory at the following link: 961509

Mozilla has released an announcement at the following link: MD5 Weaknesses Could Lead to Certificate Forgery

TrustCenter has released an announcement at the following link: TC TrustCenter response to SSL Vulnerability paper

Version 5, January 15, 2009, 1:41 PM: Cisco has released a security response with information pertaining to the MD5 cryptographic algorithm Certification Authority certificate spoofing attacks.

Version 4, January 9, 2009, 2:27 PM: Entrust has issued a knowledge base article with information pertaining to the MD5 cryptographic algorithm Certification Authority certificate spoofing attacks.

Version 3, January 5, 2009, 4:24 PM: Several vendors have released announcements with information pertaining to the MD5 cryptographic algorithm Certification Authority certificate spoofing attacks.

Version 2, December 31, 2008, 9:21 AM: Microsoft has released a security advisory with information pertaining to the MD5 cryptographic algorithm Certification Authority certificate spoofing attacks.

Version 1, December 30, 2008, 4:01 PM: Security researchers have discovered a weakness within the MD5 cryptographic algorithm that could allow attackers to spoof secure websites on the Internet, leading to trust-related attacks such as phishing.