MD5 collision creates rogue Certificate Authority
by Scott Merrill on December 30, 2008
At the 25th Chaos Communication Congress CCC today, researchers will reveal how they utilized a collision attack against the MD5 algorithm to create a rogue certificate authority. This is pretty big news, so read on.
When you make a secured connection to a website via HTTPS, a public key certificate is sent from the server to your computer. This certificate contains a digital signature which your computer uses to verify the identify of the site to which you’re connecting. Certificates are “signed” by a Certificate Authority CA, which acts as a kind of middle-man: you trust the CA, so you can trust the certificates signed by the CA. Anyone can create a certificate authority, though, so most browsers have a list of known reputable and trustworthy CAs. When your computer gets a certificate from a server, your browser checks the CA that issued it to determine whether the CA is trustworthy. If the CA is trustworthy, your browser assumes that the certificate being presented is trustworthy.
The public key cryptography utilized by Certificate Authorities is evolving, as are most things in the technology world. Some CAs used the MD5 algorithm to compute the digital signatures for certificates. MD5 has been known for some time to be weak against collision attacks, but running a CA is a pretty complex operation, so the entities behind them are slow to change.
Researchers attacked the MD5 algorithm using 200 PlayStation 3 systems and were able to construct a bogus Certificate Authority that looks like a known trusted CA. What this means is that these guys could generate a certificate for www.amazon.com which, when presented to your browser, would be accepted as the real thing. The digital signature on the fake certificate is listed as coming from a supposedly reputable CA, so your browser happily accepts it, reassuringly showing you the little padlock icon.
Okay, so how does this affect you? If the researchers’ results can be duplicated by a malicious agent, they could generate any number of certificates that would be trusted by browsers all around the world. This alone might be sufficient, though this attack could be coupled with a sophisticated DNS attack to make it really really really hard for anyone to realize that they’d been suckered. Your browser would report that you’re at yourbank.com; your browser would report that you were using HTTPS to protect the connection; and your browser would report that the SSL certificate being used for that HTTPS connection really did belong to yourbank.com. Granted, the level of effort required to perform such an attack is currently enormous, and the potential gains are probably limited, so it’s likely not the kind of thing that would be pulled on average Internet users. But it’s still something about which to be concerned.
The attack outline states “[w]ith optimizations the attack might be done for $2000 on Amazon EC2 in 1 day.” Thankfully, the researchers are not releasing their specific implementation. That’s somewhat reassuring, but expect conniving folks somewhere to try to recreate the researchers’ results for less academic purposes.
The PDF concludes with this: “No need to panic, the Internet is not completely broken” and assures us that the “affected CAs are switching to SHA-1″. SHA-1 is believed to be weak against certain attacks, though, so it might be better for the vulnerable CAs to jump right to SHA-2 or SHA-3.
Bottom line: as always, be cognizant of your browsing habits. If something looks or feels fishy, don’t provide any account names or passwords. Use different passwords for different websites, so that if you do get suckered by a phishing attack the phishers don’t get the keys to your online kingdom.