Researchers from the École Polytechnique Fédérale de Lausanne in Switzerland, the Eindhoven University of Technology and the University of Berkeley among others used the machines to create a rogue version of a certificate issued in 2004, to prove the concept. The attack, unveiled at the 25th Chaos Computing Congress, exploited existing weaknesses in the MD5 hashing algorithm, and could be used to forge the SSL certificates used on a wide variety of sites.
"Our work shows that known weaknesses in the MD5 hash function can be exploited in realistic attack, due to the fact that even after years of warnings about the lack of security of MD5, some root CAs are still using this broken hash function," said a description of the attack by the authors. The attack relies on an existing weakness in MD5 that allows for the creation of identical 'collision' hashes for different files. Obtaining an original web certificate and cloning its identity but with a different public key could be used in conjunction with a redirection attack to impersonate an SSL-protected server, alleges the paper. This could make bank phishing sites even more convincing, for example.
Although the attack was used to clone an SSL certificate, the fault lies not with SSL but with the hashing technology that some use to serve it. MD5 is only one of several available algorithms, and it has already been largely deprecated by the security community because of the intrinsic weaknesses that made collision hashes possible. However, some certificate authorities are still using MD5 to sign their certificates, point out the researchers. "An effective and efficient countermeasure to remediate this vulnerability is to stop using MD5 for digital signatures. Acceptable alternatives to replace MD5, such as SHA-1, are widespread or, like SHA-2, at least becoming rapidly available," says the paper. However, it adds that SHA-1 could become susceptible to similar attacks in the future.
The researchers identified several well-known certificate authorities that they said were still releasing MD5-backed certificates, including RSA, Thawte, and Verisign Japan. RSA's vice president of product marketing Sam Curry refuted the accusation in a new year's blog post. " I am surprised that the researchers claim that there is an RSA-issued certificate from 2008 that used MD5 since our own internal enumeration shows otherwise. Any references to “RSA” or “RSA Data Security” in their research may very well be out of date," he said.
"This exploit is closed. VeriSign closed the hole approximately five hours after we learned about it. We accomplished it by replacing the MD5 hash with SHA-1, which was on our roadmap for January anyway, after our freeze period opened. Freeze periods are negotiable, so we made an exception," responded spokespeople from Verisign subsidiary Thawte. "We've been systematically phasing out MD5 for years and are in the very final steps of that process. We happen to be on pace to have MD5 removed from all end entity certificates by the end of January, 2009."
Sources in the security community told Infosecurity that such CAs, while aware of the problem, need to support both legacy applications and older mobile phones. Japan was among the first countries to push web functionality into mobile phones, and it is interesting that according to the researchers only Verisign's Japanese operation appeared to issue MD5-backed certificates.
While the attack needed 200 PS3 consoles to run successfully, it is conceivable that attackers could use a series of field programmable gate array (FPGA) chips, or even a collection of compromised PCs as part of a botnet, to divide up the work. Russian company Elcomsoft has achieved success cracking passwords by using the mathematical processing capabilities of graphical processing units (GPUs), which are found in most modern PCs.
Both Mozilla and Microsoft issued advisories about the problem.