Fw: [saag] Further MD5 breaks: Creating a rogue CA certificate

Steven M. Bellovin smb at cs.columbia.edu
Tue Dec 30 11:27:24 EST 2008

Begin forwarded message:

Date: Tue, 30 Dec 2008 11:05:28 -0500
From: Russ Housley <housley at vigilsec.com>
To: ietf-pkix at imc.org, ietf-smime at imc.org, saag at ietf.org, cfrg at irtf.org
Subject: [saag] Further MD5 breaks: Creating a rogue CA certificate


MD5 considered harmful today
Creating a rogue CA certificate

December 30, 2008

Alexander Sotirov, Marc Stevens,
Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de

We have identified a vulnerability in the Internet Public Key 
Infrastructure (PKI) used to issue digital certificates for secure 
websites. As a proof of concept we executed a practical attack 
scenario and successfully created a rogue Certification Authority 
(CA) certificate trusted by all common web browsers. This certificate 
allows us to impersonate any website on the Internet, including 
banking and e-commerce sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic 
hash function that allows the construction of different messages with 
the same MD5 hash. This is known as an MD5 "collision". Previous work 
on MD5 collisions between 2004 and 2007 showed that the use of this 
hash function in digital signatures can lead to theoretical attack 
scenarios. Our current work proves that at least one attack scenario 
can be exploited in practice, thus exposing the security 
infrastructure of the web to realistic threats.

saag mailing list
saag at ietf.org

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list