News

SSL Certs Busted

• By Joab Jackson
• January 4, 2009

European security researchers have demonstrated a weakness in a hash algorithm widely used for creating digital certificates to secure Web sites and sign e-mails.

The weaknesses, found in the MD5 hash algorithm, could be used as a basis to generate fraudulent X.509 Certification Authority certificates, allowing attackers to forge secure web sites, those that use the HTTPS protocol to ensure authenticity. Any other secure services that use the Secure Socket Layer (SSL), such as digitally-signed e-mail, could be vulnerable as well.

"MD5 hashes have been shown to be weak for a while now, and this is just yet another attack using these known weaknesses," wrote Johannes Ullrich of the SANS Internet Storm Center, in an advisory. "The attack is still not easy, but very much possible and not just 'theoretical.'"

The researchers created a phony certificate, one that appears to be issued by a root Certificate Authority (CA), or trusted issuer of certificates for Public Key Infrastructures (PKI). The team harnessed a system built of 200 Sony Playstation PS3s to generate a MD5 hash value identical to legitimate one issued by a CA. The process took about two days.

"Our work shows that known weaknesses in the MD5 hash function can be exploited in realistic attack," the researchers wrote in a paper explaining their work. "[D]ue to the fact that even after years of warnings about the lack of security of MD5, some root CAs are still using this broken hash function … The vulnerability we expose is not in the SSL protocol or the web servers and browsers that implement it, but in the Public Key Infrastructure."

The hash function is an operation that ingests a string of data and outputs another string, called the hash value. Since a hash value has no easily-decipherable relation to the original input, it typically may not be duplicated by using some other input. The MD5 algorithm, however, has been shown to be faulty in this manner: In 2004, researchers theoretically showed that identical hash values from different inputs could be created with the 128-bit MD5 hash algorithm. This recent announcement is one of the first demonstrations that a duplicate MD5 hash value can be created.

Although the National Institute of Standards and Technology has advised end-users to move from the MD5 to SHA-1, many commercial CAs still use MD5. The researchers reported that RSA and VeriSign still use MD5 for some of their certificates.

Only those certificates using the MD5 algorithm could be affected. Those based on the stronger SHA-1, SHA-256, SHA-384 or SHA-512 algorithms are not affected.

Microsoft has advised its customers to stop using any certificates that were generated by the MD5 hashing algorithm.

In the paper, the researchers sketched out a theoretical scenario in which attackers could build a phony secure Web site to which users are unsuspectingly redirected from the real site. To end-users, the site may look identical to the real site. When the users' browsers do the automatic certificate check, they'll find the forged certificate claims the phony site is the real, setting up users to conduct sensitive communications or business transactions with the attackers.

In response to the paper, VeriSign product marketing executive Tim Callan notedthat VeriSign has been in the process of phasing out MD5-based certificates, and the work did not jeopardize any certificates now in place.

"No end entity certificates are affected by this attack. The attack, when it worked, was a potential method for a criminal to create a new, false certificate from scratch. Existing certificates are not targets for this attack," he wrote.