The consequences of the successful MD5 attacks
At the end of 2008, an international team of researchers managed to carry out a sensational attack on MD5: They abused the signature of a Certification Authority to sign their own Certification Authority certificate. This certificate could have been used to issue arbitrary certificates, accepted as trustworthy by any browser. The attack clearly demonstrated the weaknesses of MD5, a hash algorithm which is still in widespread use.
Using a cluster of 200 Playstation 3 systems, it took the researchers two days to create two valid certificate requests with predetermined data fields that resulted in identical hash values. The researchers only modified the contents of unimportant fields, for example the Netscape comment extension. They got the RapidSSL Certification Authority to sign the first request, issued for a domain in their possession. Then they attached this digital signature to the second certificate that confirmed the identity of the fictitious "MD5 Collisions Inc. (http://www.phreedom.org/md5)" Certification Authority. Since the second certificate's hash value is identical to that of the signed original, no program can detect the forgery.
This approach is called a collision attack. Attackers can modify both the subsequently presented forged certificate and the pre-signature original, until two samples with the same hash value are produced.
A different and far more involved approach is needed to fake the digital signature of fixed and pre-existing data not under the attackers control. Cryptographers call this approach a "pre-image" attack. This type of attack involves a predefined original, for example an existing document with a digital signature. An attacker will try to create a second document that has both the same content and the same hash value. No realistic scenarios involving pre-image attacks on MD5 have so far been developed.
These details already paint quite a precise picture of the concrete threats implied by the current attack. The forged "MD5 Collisions CA" certificate does not represent an actual threat. An attacker would need the certificate's private key to exploit it for attacks, and the researchers are keeping this key under wraps. They also deliberately used a backdated expiration date to prevent valid certificates from being issued.
In addition, an attack like this isn't simply a matter of repetition. The researchers did not disclose some of the details of how they created the collision. The RapidSSL Certification Authority has since stopped using MD5; others will hopefully follow soon. The hack also took advantage of certain aspects of the certification process, for example that it simply allocated consecutive ascending serial numbers, making the serial numbers of certificates predictable. This means that attackers who try to copy this procedure need to invest a considerable amount of research and work to repeat this attack. A conservative estimate would be at least a few months.
It isn't automatically possible to listen in on SSL-encrypted connections, just because one of the partners is using a certificate signed with MD5. Rather, a typical attack scenario would look something like this:
To extract data like credit card details from a transmission to the SSL-encrypted page of a web shop, an attacker would have to set up a server that pretends to be the shop, authenticating itself with a forged certificate. The tools required for this are already available. In a second step, the attacker needs to divert the connection between victim and web shop to a proxy server. In a local or wireless network, this could, for example, be done via ARP spoofing. On a large scale, it would probably involve DNS spoofing or pharming, which requires vulnerable DNS servers.
Since there is no immediate danger, there is no reason to panic. Unfortunately, however, it isn't possible to simply eradicate the problem for good. The attack can only serve as a reason for distrusting MD5 and phasing it out as soon as possible. As a first step, the Certification Authorities should immediately stop using MD5 to sign certificates. In addition, the CAs should ideally contact the owners of certificates signed with MD5 and offer them a free switch to SHA-1. Although SHA-1 has also already been targeted in early attacks, these attacks have so far not had any true practical relevance. The designated successor SHA-2 is not yet ready for practical application, and SHA-3 has yet to be defined.
Even though there is no immediate reason to worry, the owners of MD5 certificates should request new certificates as soon as possible. Every MD5 certificate replaced is another step towards the complete abandonment of MD5. End users can only hope that the hurdles for successful exploits are high enough, as they currently have no suitable means for protecting themselves against such encryption attacks. The FAQs on the following page are meant to at least provide a few pointers for experimentation.