

A powerful digital certificate that can be used to forge the identity of any website on the internet is in the hands of in international band of security researchers, thanks to a sophisticated attack on the ailing MD5 hash algorithm, a slip-up by Verisign, and about 200 PlayStation 3s.

"We can impersonate Amazon.com and you won't notice," says David Molnar, a computer science PhD candidate at UC Berkeley. "The padlock will be there and everything will look like it's a perfectly ordinary certificate."

The security researchers from the U.S., Switzerland and the Netherlands planned to detail their technique Tuesday, at the 25th Chaos Communication Congress in Berlin.

At issue is the crypto technology used to ensure visitors to Amazon.com, for example, are actually connected to the online retailer and not to a fake site erected by a fraudster. That assurance comes from a digital certificate that's vouched for and digitally signed by a trusted authority like Verisign. The certificate is transmitted to a user's browser and automatically verified during SSL connections – the high-security web links heralded by a locked-padlock icon in the browser.

Key to the signing process is a so-called hash function – an algorithm that turns a digital file into a small fingerprint of a fixed size. To prevent forgery, the hash function must make it practically impossible for anyone to create two files that will boil down to the same hash.

In 2004 and 2007, cryptographers published research showing that the once-common MD5 hash function suffers weaknesses that could allow attackers to create these "collisions." Since then, most certificate authorities have moved to more secure hashes. But in an automated survey earlier this year, the researchers presenting in Berlin say they discovered a weak link at Verisign-owned RapidSSL, which was still signing certificates using MD5. Out of 38,000 website certificates the team collected, 9,485 were signed using MD5, and 97% of those were issued by RapidSSL.

That's when they hit the company with the first real-world version of the attack. They say they submitted a certificate for their own website to RapidSSL for signing. Then they successfully modified the resulting signed certificate to turn it into a vastly more powerful "CA certificate," stealing RapidSSL's authority to sign and verify certificates for any other site on the internet.



In theory, hackers could use such an attack in combination with a DNS attack to erect perfect counterfeit banking and e-commerce sites. In practice, though, it's unlikely real bad guys will ever use it. The work required substantial brain and computing power, and the fix is simple: Verisign, and the handful of smaller certificate authorities found using MD5, could simply upgrade to a more secure hash function, and instantly close the loophole.

"We don't believe anybody will reproduce our attack before the certificate authority has fixed it," says Molnar.

Tim Callan, vice president of product marketing for Verisign, defends the company's use of MD5. He says Verisign has been in the process of phasing out the hoary hash function in a controlled manner, and already planned to stop using it for new certificates in January.

"The RapidSSL certificates are currently using the MD5 hash function today," he concedes. "And the reason for that is because when you're dealing with widespread technology and [public key infrastructure] technology, you have phase-in and phase-out processes that can take significant periods of time to implement."

"All the information that we have is that MD5 is not any kind of significant or meaningful risk today," Callan adds.

But the new exploit seems to undermine that position. The researchers say they implemented an attack laid out theoretically in a published paper last year.

To pull off their substitution, the researchers had to generate a CA certificate and a website certificate that would produce the same MD5 hash – otherwise the digital signature wouldn't match the modified certificate. The effort was complicated by two variables in the signed certificate that they couldn't control: the serial number and the validity period. But those proved predicable in RapidSSL's automated signing system.

To do the actual math of finding the MD5 collision, they used the "PlayStation Lab," a research cluster of about 200 PlayStation 3s wired together at the EPFL in Lausanne, Switzerland. Using the powerful processors, they were able to crunch out their forgery in about three days.

"We had to come up with some new math and some operational things that were not previously known," says Molnar. The other researchers were Alexander Sotirov; Jacob Appelbaum; Dag Arne Osvik; as well as Benne de Weger, Arjen Lenstra and Marc Stevens, who wrote the 2007 paper (.pdf) that first described the precise mathematics of the attack.

Molnar says that the team pre-briefed browser makers, including Microsoft and the Mozilla Foundation, on their exploit. But the researchers put them under NDA, for fear that if word got out about their efforts, legal pressure would be brought to bear to suppress their planned talk in Berlin. Molnar says Microsoft warned Verisign that the company should stop using MD5.

Callan confirms Versign was contacted by Microsoft, but he says the NDA prevented the software-maker from providing any meaningful details on the threat. "We're a little frustrated at Verisign that we seem to be the only people not briefed on this," he says.

The researchers expect that their forged CA certificate will be revoked by Verisign following their talk, rendering it powerless. As a precaution, they set the expiration date on the certificate to August 2004, ensuring that any website validated through the bogus certificate would generate a warning message in a user's browser.

The National Institute of Standards and Technology is currently holding a competition to replace the current standard family of cryptographic hash function, called SHA for Secure Hash Algorithm. SHA replaced MD5 as the U.S. national standard in 1993.

Update: December 30, 2008 | 5:45:00 PM

Verisign says it's stopped using MD5, as of around noon Pacific time.

"We're disappointed that these researchers did not share their results with us earlier," writes Tim Callan, "but we're happy to report that we have completely mitigated this attack."