Exploiting MD5 collisions and Creating Fake CA certificates.

It’s been a while, MD5 has been known for its several weaknesses and multiple proven attack scenarios showing how it can be compromised – For those known reasons, a lot of us try our best to stay away from using MD5. Last week at the Chaos Communication Congress Conference – Berlin a bunch of researchers disclosed this eye-raising MD5 collision exploit and how it can be used for creating a rogue CA certificate – particularly using a bunch of commercial CAs, couple of them you and I always considered them ;-(.

The researchers did a terrific job exposing the nitty-dritty details of the attack showing how to abuse MD5 collisions and explore creating fake CA certificates (..precisely fake).  This demonstrates a huge vulnerability of using MD5 with SSL, digital signature, etc.

You may find the details of their work here … and download their presentations from 25C3 web site.

You may not be surprised, the most popular OS and Linux OS allow using MD5 checksum to check integrity of files and also couple of freeware SSL solutions still issues certificates with MD5withRSAEncryption by default – Here is a Microsoft Security advisory in response ! For those curious, you would able to stay away from those known MD5 vulnerabilities by choosing SHA-1 or SHA-2 (for now !!)

Leave a Reply

Your email address will not be published. Required fields are marked *