Potential to Create Forged SSL Certificates with the MD5 hash function

19 11 2011

The MD5 hash function has been considered to be a weak algorithm. This has been found as far back as 1996, when the weaknesses in MD5 were exposed by researchers [1]. Since then, there have been numerous articles about collision attacks on MD5 and it is clear that MD5 has been considered to be broken.

The vulnerability of MD5 has made it possible to carry out a MD5 collision attack to create fake SSL certificates. Previously, this attack was dismissed as being only theoretical but researchers demonstrated the first known application of such an attack in December 2008, running the attack in 4 weekends using a network of 200 PS3 game consoles at a cost of only $657 [2]. The attackers estimate that the same amount of processing power could be purchased from Amazon at a cost of about $1,500. The attack works by allowing an attacker to appoint itself as an Intermediate Certificate Authority (CA), and to then generate trusted certificates which the real CA does not know about [2].

While CAs today have stopped issuing new certificates based on the MD5 hash function, it would be possible that an attacker could have made use of this knowledge immediately after the vulnerability of MD5 was made known in December 2008 to obtain rogue CA certificates. Also, it is probable that there were others who knew about this vulnerability before it was publicly announced and made use of it in the same way. What an attacker could have done was to have the CA sign a non-CA certificate that was in collision with their rogue CA certificate, get the non-CA certificate signed and apply the signature to the rogue CA certificate [3]. Those rogue CA certificates would then have the ability to sign additional certificates on any domain [4]. Carried out with DNS spoofing, a rogue CA certificate could be used to impersonate a legitimate website with the browser showing that it is a secure connection. The possibilities are many, from impersonating banking websites to e-commerce websites to email websites to get passwords and credit-card numbers.

Now going forward to our current moment, we have already experienced a successful attack on SSL. In June 2011, hackers broke into DigiNotar’s systems to create forged certificates for the Google domain name, and those fake SSL credentials were used to spy on 300,000 Iranian internet users [5]. Even worse, DigiNotar only revoked the certificate for Google.com at the end of July and only went public a month later [5]. What that was once deemed highly unlikely – an attack on the root CA was successfully accomplished. Learning from this incident, it could be highly possible for unlawful individuals or governments to already possess such rogue CA certificates, so as to carry out an impersonation attack at an opportunistic time. Also, our computing power has improved tremendously from December 2008 to now. Carrying out a collision attack on MD5 would now require lesser amounts of computing time. Moreover, the DigiNotar incident showed that it is in the interest of governments to create forged certificates; governments have access to much more resources as well as computing power to carry out an attack.

A check on the list of root certificates accepted by Microsoft showed that there are still 39 root certificates based on the MD5 signature hash that are accepted [6]. The reason given was “to allow for certificate chain building for previously signed code and certain SSL-protected websites [6].” Mozilla on the other hand has stopped accepting intermediate and end-entity certificates that are based on MD5 as a hash algorithm [7]. To test this out, I tried to access the website that was created to demonstrate the rogue CA certificate created from the MD5 collision attack, available at https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/. I managed to successfully access the website using Microsoft Internet Explorer and had the SSL padlock icon on it (after changing my system time as the rogue certificate was intentionally crippled to prevent it from falling to the wrong hands). However, when I tried using Mozilla Firefox, I could not access the page and had an error message stating that the certificate had an invalid signature. As such, up to today, Microsoft Internet Explorer users are still vulnerable to this attack.

To close the security loophole, Microsoft should follow Mozilla’s lead to reject certificates that have MD5 as the hash function. While this may mean incompatibility problems for some SSL-enabled websites, it would force those websites to change their certificates to have a minimum of a SHA-1 hash function. Microsoft should not wait till an attack happens before it does so; the DigiNotar incident has already shown that a successful attack on the SSL mechanism is not impossible.

_______________________

[1] Kerner, S.M. (2004). MD5 Flaw Threatens File Integrity. Retrieved from http://www.internetnews.com/dev-news/article.php/3446071/MD5+Flaw+Threatens+File+Integrity.htm

[2] Corelis, T. (2009). MD5 Is Officially Insecure: Hackers Break SSL Certificates, Impersonate CA. Retrieved from http://www.dailytech.com/MD5+Is+Officially+Insecure+Hackers+Break+SSL+Certificates+Impersonate+CA/article13842.htm

[3] Adams, M. (2009). SSL MD5 PKI vulnerabilities threaten Web security. Retrieved from http://www.spamstopshere.com/blog/2009/01/08/ssl-identity-vulnerabilities-threaten-web-security/

[4] Edge, J. (2009). SSL Certificates and MD5 Collisions. Retrieved from http://lwn.net/Articles/314997/

[5] Leyden, J. (2011). DigiNotar goes titsup: Disgraced certificate firm is sunk. Retrieved from http://www.theregister.co.uk/2011/09/20/diginotar_bankrupt/

[6] Albertson, T. (2011). Windows Root Certificate Program – Members List (All CAs). Retrieved from http://social.technet.microsoft.com/wiki/contents/articles/2592.aspx

[7] Mozilla. (2011). Dates for Phasing out MD5-based signatures and 1024-bit moduli. Retrieved from https://wiki.mozilla.org/CA:MD5and1024