MD5 collision used to create rogue certificate authority
Thu, 01 Jan 2009 13:48
This really is quite nice. Researchers used collisions in the MD5 hash algorithm to create a rogue CA (Certification Authority) certificate signed by RapidSSL. RapidSSL is apparently trusted by the majority of web browsers.
It was demonstrated years ago that MD5 collisions could be generated relatively easily, but that hasn't stopped MD5 being used in a number of contexts where cryptographically secure hash functions are required. The attack involves getting a CA that uses MD5 for hashing to provide a legitimate website certificate. The attacker then generates their own CA certificate which has the same hash as the legitimate one. It is now possible for the attacker to generate SSL certificates for arbitrary websites, signed by their rogue CA certificate. As the rogue CA certificate has the same hash as a legitimate one signed by the CA, browsers that trust the CA will accept the fraudulent site's identity.
What I really like about this work is that the authors have managed to bridge the gap between a result primarily of interest to security researchers and an issue which could affect the average web user. Quite often, when cryptographic research results get publicity, the implications are so obscure to anyone without a knowledge of cryptography that the reporting soon becomes badly distorted. Hopefully, this example of how MD5's unsuitability as a cryptographic hash can lead to such an easily comprehensible real-world vulnerability might make people take notice of the danger in using broken hashing and encryption algorithms. Well, one can hope.
As Bruce Schneier points out, the plethora of valid sites with broken certificates have trained users to ignore SSL warnings so the ability to spoof SSL certificates doesn't really add that much. Having said that, Firefox 3 goes out of its way to make it difficult to access web-sites with invalid SSL certificates. Still, given the multitude of far simpler methods criminals have for acquiring sensitive information, it's unlikely this attack will ever be seen in the wild.