Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI) that is used to issue digital signatures and certificates for secure websites.† The researchers presented the weakness December 30, 2008, at the 25th Chaos Communication Congress (25C3) conference in Berlin, Germany.
The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function.† Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates.† Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm.† Root CAs that do not rely on the weak MD5 algorithm cannot be impersonated using this attack.
The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers.† Successful attacks could allow attackers to spoof any websites, including banking and e-commerce websites, that are secured using the HTTPS protocol and that rely on a root CA using the weak MD5 algorithm.† Attack types could include spoofing, phishing, code signing, e-mail security, and other trust-related attacks.
Reports indicate that the researchers were able to create a successful attack using test digital certificates and a cluster of 200 Sony PlayStation 3 gaming consoles.† The researchers state that the MD5 collision attack is not easy to achieve, limiting the pool of potential attackers.† However, because of the nature of PKI, one maliciously generated root CA could be used to generate a multitude of malicious certificates for any number of malicious websites.† The proof-of-concept demonstration at 25C3 may encourage root CAs that still rely on MD5 to migrate to more secure algorithms, such as the SHA-1 or SHA-2 algorithm.†
The affected CAs have not been disclosed by the researchers; however, reports indicate that at least six CAs are using the weak algorithm.
The attack is staged by using MD5 collisions.† This term refers to two certificates for which the MD5 hash is the same.
Cisco has released a security response to address Cisco bug IDs CSCsw88068 and CSCsw90626 at the following link: cisco-sr-20090115-md5
Entrust has released a knowledge base article at the following link: 7690
Microsoft has released a security advisory at the following link: 961509
Mozilla has released an announcement at the following link: MD5 Weaknesses Could Lead to Certificate Forgery
Red Hat has released security advisories at the following links: RHSA-2010:0837 and RHSA-2010:0838.† Red Hat packages can be updated using the up2date or yum command.
TrustCenter has released an announcement at the following link: TC TrustCenter response to SSL Vulnerability paper
Ubuntu has released a security notice at the following link: USN-740-1.† Ubuntu has released updated packages; users can install the updates using Update Manager.
VeriSign has released an announcement at the following link: on_md5_vulnerabilities_and_mit
US-CERT has released a vulnerability note at the following link: VU#836068