It's just one embarrassment after another for the digital certificate business lately. First, lax procedures at a Comodo affiliate resulted in the sale of a "mozilla.com" certificate to someone unaffiliated with that group. Now a more serious technical problem has developed with the way some certificates are generated, but the real problem is still human.
It was announced at the Chaos Computer Congress in Berlin held Dec. 27 to 30: A practical collision attack on MD5 hashes, called a colliding certificates attack, allowed a group of brilliant attackers to create a signing certificate for a legitimate certificate authority. Click here for the paper they wrote on their research.
Popular Web browsers and many other applications are distributed with the root certificates of trusted certificate authorities so that the browsers can verify that Web site certificates they encounter were, in fact, issued by one of the trusted authorities. By creating their rogue certificate, the researchers were able to create certificates that would be verified by Web browsers as having been issued by the legitimate certificate authority, which, in this case, was RapidSSL, a low-cost CA owned by VeriSign. The researchers revealed enough of their research to make the problem clear and to demonstrate that they did what they claimed to do, but not enough, for now, to allow others to replicate the work quickly.
The research is brilliant and the researchers handled themselves so well that they have received nothing but applause, even from VeriSign, which acknowledged the problems that allowed the colliding certificates attack and is moving swiftly to remove them from all of their certificate products. Any customer with an affected certificate can have a new, unaffected one, issued for free by the company.
Before I get to what I believe is the main lesson of this episode, I'll talk a bit about hash functions, the target of this attack. Hash functions are used to take a block of data, potentially large, and to create a value from it on which other operations may be performed. A hash function will always create the same hash for the same block of data, but you don't want it to be practical to reverse the process and create the data block from the hash. And while it's certain that, somewhere in the world, there are two blocks of data that create the same hash, you don't want it to be practical to find them.
This last problem is what happened in the colliding certificates attack: The researchers used a cluster of 200 PlayStation 3s to find a hash collision for the RapidSSL signing certificate.