Security Activity Bulletin
Weak MD5 Cryptographic Algorithm Allows for Certification Authority Certificate Spoofing Attacks
-
Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI) that is used to issue digital signatures and certificates for secure websites. The researchers presented the weakness December 30, 2008, at the 25th Chaos Communication Congress (25C3) conference in Berlin, Germany.
The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function. Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates. Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm. Root CAs that do not rely on the weak MD5 algorithm cannot be impersonated using this attack.
The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers. Successful attacks could allow attackers to spoof any websites, including banking and e-commerce websites, that are secured using the HTTPS protocol and that rely on a root CA using the weak MD5 algorithm. Attack types could include spoofing, phishing, code signing, e-mail security, and other trust-related attacks.
Reports indicate that the researchers were able to create a successful attack using test digital certificates and a cluster of 200 Sony PlayStation 3 gaming consoles. The researchers state that the MD5 collision attack is not easy to achieve, limiting the pool of potential attackers. However, because of the nature of PKI, one maliciously generated root CA could be used to generate a multitude of malicious certificates for any number of malicious websites. The proof-of-concept demonstration at 25C3 may encourage root CAs that still rely on MD5 to migrate to more secure algorithms, such as the SHA-1 or SHA-2 algorithm.
The affected CAs have not been disclosed by the researchers; however, reports indicate that at least six CAs are using the weak algorithm.
The attack is staged by using MD5 collisions. This term refers to two certificates for which the MD5 hash is the same.
Cisco has released a security response to address Cisco bug IDs CSCsw88068 and CSCsw90626 at the following link: cisco-sr-20090115-md5
Entrust has released a knowledge base article at the following link: 7690
Microsoft has released a security advisory at the following link: 961509
Mozilla has released an announcement at the following link: MD5 Weaknesses Could Lead to Certificate Forgery
Red Hat has released security advisories at the following links: RHSA-2010:0837 and RHSA-2010:0838. Red Hat packages can be updated using the up2date or yum command.
TrustCenter has released an announcement at the following link: TC TrustCenter response to SSL Vulnerability paperUbuntu has released a security notice at the following link: USN-740-1. Ubuntu has released updated packages; users can install the updates using Update Manager.
VeriSign has released an announcement at the following link: on_md5_vulnerabilities_and_mit
US-CERT has released a vulnerability note at the following link: VU#836068
-
Show LessVersion Description Section Date 7 Red Hat has released security advisories and updated packages to address the MD5 cryptographic algorithm Certification Authority certificate spoofing attacks.
2010-November-09 13:48 GMT 6 Ubuntu has released a security notice and updated packages to address the weak MD5 cryptographic algorithm Certification Authority certificate spoofing attacks. 2009-March-18 11:11 GMT 5 Cisco has released a security response with information pertaining to the MD5 cryptographic algorithm Certification Authority certificate spoofing attacks. 2009-January-15 18:41 GMT 4 Entrust has issued a knowledge base article with information pertaining to the MD5 cryptographic algorithm Certification Authority certificate spoofing attacks. 2009-January-09 19:27 GMT 3 Several vendors have released announcements with information pertaining to the MD5 cryptographic algorithm Certification Authority certificate spoofing attacks. 2009-January-05 21:24 GMT 2 Microsoft has released a security advisory with information pertaining to the MD5 cryptographic algorithm Certification Authority certificate spoofing attacks. 2008-December-31 14:21 GMT 1 Security researchers have discovered a weakness within the MD5 cryptographic algorithm that could allow attackers to spoof secure websites on the Internet, leading to trust-related attacks such as phishing. 2008-December-30 21:01 GMT
-
The security vulnerability applies to the following combinations of products.
Primary Products IntelliShield Security Activity Bulletin Original Release (Base) Associated Products Red Hat, Inc. Certificate System 7.3 (x86_64, IA-32) | 8 (IA-32, x86_64)
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products