IDG News Service - With the help of about 200 Sony Playstations, an international team of security researchers has devised a way to undermine one of the algorithms used to protect secure Web sites — a capability that the researchers said could be used to launch nearly undetectable phishing attacks.

To accomplish that, the researchers said today that they had exploited a bug in the MD5 hashing algorithm used to create some of the digital certificates used by Web sites to prove they are what they claim to be. The researchers said that by taking advantage of known flaws in the algorithm, they were able to hack VeriSign Inc.'s RapidSSL.com certificate authority site and create fake digital certificates for any Web site on the Internet.

Hashes are used to create a digital "fingerprint" that is supposed to uniquely identify a given document and can easily be calculated to verify that the document hasn't been modified in transit. But the flaw in the MD5 algorithm makes it possible to create two different documents that have the same numerical hash value.

That, the researchers said, explains how someone could create a digital certificate for a phishing site that has the same fingerprint as the certificate for a genuine Web site. They added, though, that they don't expect to see any actual attacks using the flaw that they exploited — a point that Microsoft Corp. seconded in a security advisory in which it downplayed the threat to Internet users.

Using their farm of Playstation 3 machines, the researchers built a rogue certificate authority that could issue bogus certificates. The Playstation's Cell processor is popular with code breakers because it is particularly good at performing cryptographic functions.

The researchers planned to present their findings today at the Chaos Communication Congress, a hacker conference being held in Berlin. Even before their talk took place, it already was the subject of speculation within the Internet security community.

The team that did the research work included independent researchers Jacob Appelbaum and Alexander Sotirov, as well as computer scientists from the Centrum Wiskunde & Informatica, the Ecole Polytechnique Federale de Lausanne, the Eindhoven University of Technology and the University of California, Berkeley.

Although the researchers believe that a real-world attack using their techniques is unlikely, they say their work shows that the MD5 algorithm should no longer be used by the certificate authority companies that issue digital certificates. "It's a wake-up call for anyone still using MD5," said David Molnar, a Berkeley graduate student who worked on the project.

In addition to VeriSign, TC TrustCenter AG, EMC Corp.'s RSA unit and Thawte Inc. use MD5 to generate their digital certificates, according to the researchers. They said that VeriSign also uses the algorithm on a certificate service offered through its Japanese Web site, in addition to RapidSSL.com.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.

Comment Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

digital certificates

Additional Resources

Xerox

Win a color printer!

By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer!

Microsoft

Upgrade to Internet Explorer 8 today.

Save time and mitigate security risk. Deploy it now.

Sybase

NEXT-GENERATION MOBILITY PLATFORMS

In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.