When news hit that a team of security researchers and cryptographers had discovered a way to create a rogue certificate authority, the oft-repeated rule of Internet security-“Trust no one”-took on new significance.
However, before panic strikes, the researchers pointed out there are a number of measures that can be taken by browser vendors and CAs (certificate authorities) to address the situation.
At the center of the problem is what is called an MD5 collision, a well-known vulnerability within the MD5 cryptographic hash function that makes it possible to construct different messages with the same MD5 hash. In this case, the researchers have found a way to use the situation to forge digital certificates. Armed with a cluster of more than 200 commercially available game consoles and an advanced implementation of the collision construction, the team of researchers was able to essentially create a rogue certification authority.
The findings were presented Dec. 30 at the 35th Chaos Communications Conference in Berlin. If successfully executed, the attack would allow a hacker to impersonate any Web site on the Internet, leaving users open to phishing and other attacks. The good news is that the researchers have no shortage of advice on how the Internet community can deal with the problem.
First and foremost, they recommended CAs abandon their use of MD5. Many CAs have actually already done this, using standards such as SHA-1 instead. Still, the researchers found six CAs still using MD5 in 2008: RapidSSL, FreeSSL, TC TrustCenter, RSA Data Security, Thawte and Verisign.co.jp.
In response, VeriSign has now said it has removed the MD5 hash algorithm from the RapidSSL certifications it issues, which now all have SHA-1. In addition, the company also said it has ensured that no SSL (Secure Sockets Layer) certificate it sells under any brand is vulnerable to the attack laid out by the researchers. There are still some specific, non-RapidSSL certificates the company is still issuing on MD5. Those certificates are not vulnerable to this attack, and by the end of January they’ll be off MD5 also, VeriSign said.
What to Do About the Attack
“It’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard,” Arjen Lenstra, head of EPFL’s Laboratory for Cryptologic Algorithms, said in a statement. Lenstra was one of the researchers involved in the project.
To prevent chosen prefix attacks, the group recommends that CAs add more randomness to certificate fields, preferably as close to the start of the certificate as possible. The team also suggests that certification authorities monitor the flow of Certificate Signing Requests they receive for abnormal behavior, such as multiple requests by the same user in quick succession.
As for browser vendors, they can implement pop-up warnings to users when the browser comes across an MD5-based certificate. It is also possible to block MD5-based certificates, and for the vendors to implement path length checking.
“The major browsers and Internet players, such as Mozilla and Microsoft, have been contacted to inform them of our discovery, and some have already taken action to better protect their users,” Lenstra added.
Scott Crawford, an analyst with Enterprise Management Associates, noted that the researchers were also able to predict some of the values found in a legitimate certificate-such as the serial number-and could leverage them.
“Thus it’s not only reliance on a hashing algorithm with known issues, it’s also the overall processes of certificate issuance which merit examination as well,” Crawford said. “As attackers continue to proliferate and their numbers grow at alarming rates, those who place a high degree of reliance on critically sensitive PKI [public-key infrastructure] and cryptography will need to take a fresh look at just how well they are prepared to deal with today’s threats.”
Though cyber-crooks would have to go through a significant amount of trouble to launch this attack, its existence illustrates that consumers cannot universally rely on certificates to guarantee they are on a legitimate Web site, opined Avivah Litan, an analyst with Gartner.
“In the end, it just points out that Internet infrastructure is full of security weaknesses, and fraud must be tackled using a layered approach, including stronger security for PCs, more robust Internet infrastructure-including stronger certificates, signed e-mail, secure gateways, etc.-stronger user authentication … and proactively taking down criminal operations,” Litan said.
Editor’s Note: This article was updated to add a response from VeriSign.