The truth about the new attack on MD5 signatures

Chenxi Wang

In December 2008, a group of researchers demonstrated a credible attack against MD5 signatures. Since then, Forrester received a number of client inquiries regarding the security strength of their MD5 certificates. There seems to be much confusion over what the attack is about and its actual consequences.

To properly understand the security consequence of this attack and the impact on certificates, we need to understand how the attack works. The researchers demonstrated a successful attack against the RapidSSL certificate authority, which uses MD5 signatures to sign certificate requests. This is how the attack worked: the researchers first got the RapidSSL CA to sign a particular certificate request, issued for a domain in their control. This request and the ensuing signature are completely legitimate. The researchers then demonstrated that they were able to create a second certificate bearing the same signature, for a separate made-up entity. In essence, they were able to find two certificates with the same valid signature. In cryptographic parlance, this is a hash “collision” attack.

How bad is this attack? It’s important to understand that the researchers were able to create a collision attack for a “particular” original signature, namely a signature that is under the attacker’s control. Not for “any” original signatures. If you have a MD5 valid RapidSSL certificate, the chances are good that no one will be able to create a fake certificate that has the same signature as yours. However, this attack put forth an increased risk of encountering fake MD5 certificates on the Internet.

VeriSign, the owner of RapidSSL CA, has stopped using MD5 signatures altogether by the end of January 2009. VeriSign is moving to SHA-1 signatures, which is the current standard. Although SHA-1 has also been found to be vulnerable to collision attacks*, finding a collision with SHA-1 requires much more computational power and therefore it is safe to assume that SHA-1 is more secure than MD5. Again, if you currently have a valid MD5 certificate, there is no need to panic and no need to upgrade right now. You can simply let your certificate expire at the end of its lifetime and then move to a SHA-1 certificate.

What is the long term consequence? It’s likely that even SHA-1 will be broken by ordinary means some day, as computational resources become cheaper every day. We at Forrester will do our best to bring you the latest in terms of new attacks and threats. But as an organization that conducts secure business online, you should remain aware of advances in cryptographic technologies and new crytoanalysis methods.

*Two papers detailed the attack on SHA-1 algorithm were presented at Crypto 2005 rump session:  "Efficient Collision Search Attacks on SHA-0" and "Finding Collisions in the Full SHA-1Collision Search Attacks on SHA1” by XiaoYun Wang.

Comments

re: The truth about the new attack on MD5 signatures

Wonder what are the chances of this attack being actually exploited. From what I read, this attach could be pulled off due to certain flaws in the process. If these flaws are addressed, it makes it more difficult to break.

re: The truth about the new attack on MD5 signatures

The actual chance of the attack happening in the wild is not zero, but pretty slim, especially now that VeriSign has taken down the RapidSSL service. This is a vulnerability in the crypto algorithm, not something a process can fix (or the lack of it can trigger). Again, existing RapidSSL signatures should be safe, the only thing that may worry you is newly created ones.