Researchers hack VeriSign's SSL scheme for securing Web sites
Group says it used flaw in hashing algorithm to create fake digital certificates for Web sites
IDG News Service - With the help of about 200 Sony Playstations, an international team of security researchers has devised a way to undermine one of the algorithms used to protect secure Web sites — a capability that the researchers said could be used to launch nearly undetectable phishing attacks.
To accomplish that, the researchers said today that they had exploited a bug in the MD5 hashing algorithm used to create some of the digital certificates used by Web sites to prove they are what they claim to be. The researchers said that by taking advantage of known flaws in the algorithm, they were able to hack VeriSign Inc.'s RapidSSL.com certificate authority site and create fake digital certificates for any Web site on the Internet.
Hashes are used to create a digital "fingerprint" that is supposed to uniquely identify a given document and can easily be calculated to verify that the document hasn't been modified in transit. But the flaw in the MD5 algorithm makes it possible to create two different documents that have the same numerical hash value.
That, the researchers said, explains how someone could create a digital certificate for a phishing site that has the same fingerprint as the certificate for a genuine Web site. They added, though, that they don't expect to see any actual attacks using the flaw that they exploited — a point that Microsoft Corp. seconded in a security advisory in which it downplayed the threat to Internet users.
Using their farm of Playstation 3 machines, the researchers built a rogue certificate authority that could issue bogus certificates. The Playstation's Cell processor is popular with code breakers because it is particularly good at performing cryptographic functions.
The researchers planned to present their findings today at the Chaos Communication Congress, a hacker conference being held in Berlin. Even before their talk took place, it already was the subject of speculation within the Internet security community.
The team that did the research work included independent researchers Jacob Appelbaum and Alexander Sotirov, as well as computer scientists from the Centrum Wiskunde & Informatica, the Ecole Polytechnique Federale de Lausanne, the Eindhoven University of Technology and the University of California, Berkeley.
Although the researchers believe that a real-world attack using their techniques is unlikely, they say their work shows that the MD5 algorithm should no longer be used by the certificate authority companies that issue digital certificates. "It's a wake-up call for anyone still using MD5," said David Molnar, a Berkeley graduate student who worked on the project.
In addition to VeriSign, TC TrustCenter AG, EMC Corp.'s RSA unit and Thawte Inc. use MD5 to generate their digital certificates, according to the researchers. They said that VeriSign also uses the algorithm on a certificate service offered through its Japanese Web site, in addition to RapidSSL.com.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Cybercrime and Hacking White Papers | Webcasts