Members of the team of U.S. and European researchers demonstrated at the 25th Chaos Communication Congress in Berlin how they cracked the MD5 encryption algorithm and waged a man-in-the middle attack on an SSL connection. They used a cluster of more than 200 PlayStation 3s to crack the MD5 "collision" weakness, which cleared the way for their creation of a forged CA and X.509 digital certificates.
"This specific attack was only possible by colliding two MD5 hashes, but it points to a bigger issue with the way SSL certificates are issued," says HD Moore, creator of Metasploit and director of security research for BreakingPoint Systems.
One big problem is that some certification authorities, or CAs, still use the older MD5 encryption technology, which is known to be weak, rather than the newer and stronger SHA-1 cryptographic algorithm. Around 9,000 of the 30,000 Web digital certificates the researchers collected were signed with MD5 -- and 97 percent of those were issued by one CA, RapidSSL. Aside from RapidSSL, RSA Data Security, VeriSign Japan, FreeSSL, TrustCenter, and Thawte all still sign their certs with MD5, according to the researchers. These CAs are expected to switch to SHA-1 soon, however, according to the researchers, who include Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger.
They obtained a certificate from RapidSSL for their rogue Website and then lifted RapidSSL's signing authority in order to sign and verify other certificates. The researchers were able to impersonate a legitimate Website, complete with the padlock icon that accompanies actual secured sites.
"If it's using MD5, you can't verify it's the site, even if you've got that nice icon at the bottom," says Robert Graham, CEO of Errata Security.
Although the researchers have been criticized by some for a "zero-day" type disclosure, they were careful not to release any code for the attack, and their phony digital certificate is an expired one so it can't be abused. "The only objective of our research was to stimulate better Internet security with adequate protocols that provide the necessary security," said Lenstra, head of EPFL's Laboratory for Cryptologic Algorithms. The researchers also informed Mozilla, Microsoft, and other vendors of their findings prior to today's presentation.
"It's imperative that browsers and CAs stop using MD5 and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard," he added.
Security experts say the attack is a major one, affecting secure Websites and email servers, and is especially dangerous because it's nearly impossible to detect. "Ultimately, this is bigger than the [Dan Kaminsky] DNS attack," Errata Security's Graham says. "The DNS attack carries so many packets on the Net that you know you're being attacked so you can detect it and respond," but not so with these forged certificates, he says.
The researchers say a rogue CA combined with the DNS flaw discovered by Kaminsky could launch "virtually undetectable" phishing attacks. A user could be sent to a malicious site that looks just like his bank, for example, and his browser would be fooled by the site's forged digital certificate.
Moore says the most worrisome risk would be countries using the hack to monitor SSL-encrypted links. "The specific case I see the most worrying is state-level. A country like China, the UAE, or possibly Australia [if the new law passes there] could use this to transparently monitor all SSL-encrypted communications going into and out of their countries," he says. "For all we know, this is already happening."
The other issue is that SSL certificates signed by MD5 will still be out there even after the CA's switch to SHA-1, so there's no way to know if sites with those certs are truly legitimate. "Many of them have multiyear expirations," notes Moore. "Any fake keys signed by that same root key would still be valid and they [CAs] can't revoke the key without causing a lot of pain to their customers. I'm interested in seeing how this gets addressed. There aren't any good solutions to it."
There's also no way to know for sure if such an attack has already occurred on the Net, the researchers say, but it would take some significant firepower to pull it off. "The computing and technical competency requirements make this tough for a casual attacker," Moore says.
And this isn't just an SSL problem, Graham points out. "This is an entire PKI infrastructure problem," he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.