The researchers -- Jake Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Alex Sotirov, Marc Stevens, and Benne de Weger -- presented their work Tuesday at the Chaos Computing Congress, a four-day computer hacking conference held annually in Berlin.
The group identified a weakness in the public key infrastructure used on the Internet to issue digital certificates for Web sites that employ the secure HTTPS protocol.
"Our attack takes advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash," the researchers said on their Web site. "This is known as an MD5 'collision.' Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the Web to realistic threats."
Discussing the research, Princeton computer science professor Edward Felten explained on his blog that the hash is a 128-bit code that's supposed to represent a unique digest of the digital certificate in question. "To be secure, the hash method has to have several properties, one of which is that it should be infeasible to find a collision, that is, to find two values A and B which have the same hash," he wrote.
But as the researchers have shown, it's not infeasible. In theory, at least, that means someone could create a fake HTTPS banking site, for example, using a forged certificate to hijack a trusted brand name.
The group identified six certification authorities that issued certificates signed with MD5 in 2008: RapidSSL, FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte, and verisign.co.jp.
Shortly after the research was presented, Tim Callan, a product manager for VeriSign's SSL business, said in a blog post that his company had taken steps to eliminate the vulnerability. He said that VeriSign has "been in the process of phasing out the MD5 hashing algorithm for a long time now."
Microsoft also responded, issuing a security advisory Tuesday. "This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," Microsoft's advisory says. "Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm."
The research group goes further, advising that certification authorities stop using MD5 and move to more secure hash functions, such as SHA-2. While collision attacks have not yet been shown to be practical against SHA-1 hashes, work along these lines is progressing.