Security researchers have successfully created a forged certificate authority, exploiting a so-called "colliding certificates" attack, clearly indicating that the certification authorities must advance their security related standards with immediate effect.
While addressing the 25th Chaos Communication Conference that is held in Berlin from December 27 to 30, a consortium of security researchers demonstrated the use of hashing attacks on MD5 algorithm for creating forged certificates.
MD5 hashing algorithm is frequently being used by the companies, like Verisign and Thawte, to issue SSL security certificates to its users. The hash code is a crucial part of ‘public-key cryptography’, on which SSL is based, as it is indispensable to safeguarding the private codes used by certificate authorities for issuing safe SSL certificates.
As the hashes generated with MD5 algorithm have found to be vulnerable to “collisions”, or numerous inputs triggering the same output, these could be exploited by the attackers in deriving a functional key from a single SSL certificate, and then using that key to sign the further SSL certificates with genuine CA’s signature.
The vulnerability is theoretically known since 2004, and a number of security researchers rejected its practical application, due to the amount of CPU time required to exploit a single hash for collision. The researchers used 200 Off-the-shelf Playstation 3 Gaming consoles to perform the necessary calculations.
Go To Page 2 for our comments and more related links
This is slightly frightening. The researchers used 200 PS3 game consoles over eight days. The next generation gaming console (like the future Playstation 4) will be capable of hitting the one Teraflop barrier while the current one tops 0.2 Teraflop. More worrying, future cloud-computing services could make it even simpler to crack security algorithms.
(Redmond Channel Partner)