Yesterday’s presentation at the Chaos Communication Congress by a handful of researchers brought to light that the use of MD5 for secure computing (digital certificates, SSL, etc) truly is gasping its last breath. A fine summary of the MD5 algorithm and its use by the Certificate Authorities is written up by Scott Merrill here.
Unfortunately, Mr. Merrill makes the same lame excuse for the CA’s that most of the software world has made for decades regarding change: “MD5 has been known for some time to be weak against collision attacks, but running a CA is a pretty complex operation, so the entities behind them are slow to change.” Pretty complex? When something is broken, profitable security enterprises have the resources to change it (the researchers themselves state that the “affected CAs are switching to SHA-1″). That excuse simply is not valid.
Is this security vulnerability something that we didn’t already know about? Heck, a free MD5 crack demo is posted here and a fantastic study and MD5 collision attack source is served here.
The new work is a blow to the internet infrastructure that we depend on for secure communications. For CA’s, trust is their business, and some have not been very good at deserving it. The group’s work is impactful in that it brings to public light this specific application of md5 cracks. It takes a determined and seriously talented group like this to implement optimized algorithms for this specific application, and handle it properly. Let’s hope that their work “stimulates better Internet security with adequate protocols”.
Finally, Thomas Ptacek at Matasano made several excellent points about the work. The sky is not falling. Continue about your business on the internet with the same caution.
“If you take everything in the paper at face value, a couple things mitigate this attack:
* The research team had access not only to a cluster of PS3s but to a specially optimized MD5 collision-finding implementation, which they had because Lenstra’s team has been playing with a PS3 cluster for awhile.
* The research team had access to a currently-unpublished optimization to (presumably the birthday-bits search part of) the collision-finding algorithm,
* The attack could be made impractical by randomizing the serial numbers for all future certs issued by RapidSSL (and, presumably, by banning MD5).”
Update: Chris Eng similarly laments that the problem never should have happened as a guest opinion posted on the 0day blog.
For those of you interested in the characters/researchers behind the work, Alexander Sotirov recently shared conceptual details and motivations behind it:
“Most of the theory behind our attack was published in the ‘Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities’ paper in 2007 by Marc Stevens, Benne de Weger and Arjen Lenstra” and that “David Molnar and Jake Appelbaum noticed that RapidSSL was still using MD5 in 2008″.