No. 1 Story

ACCC clears Optus to scrap HFC network and use NBN instead

The ACCC has cleared, provisionally, the proposed deal between Optus and NBN Co under which Optus is to be paid around $800m to shut down its HFC network and transfer customers onto the NBN. read more

Related Articles

Adoption of cloud computing has reached a tipping point  - but don’t expect legacy...
Read More
In yet another blow to the Facebook IPO this week, following the withdrawal of...
Read More
Recruitment technology and social media have played a significant role in growing business in...
Read More
It's no longer unusual for a household or small business to use a mixed...
Read More
It's no longer unusual for a household or small business to use a mixed...
Read More

More From

Popular Threads

The Latest MD5 Attack - The Sky Continues to Fall

David Heath
Wednesday, 31 December 2008 16:32

Your IT - Home IT

View Comments
Page 1 of 3
Overnight Australian time, at the 25th Chaos Computer Club Conference in Berlin, a presentation has described a successful method to create a rogue CA certificate.

Although officially 'broken' in 2004 when hash collisions were first reported, MD5 has continued to remain in vogue as no-one could figure out how to make use of the attack.

Consider the figuring-out to be over.

MD5 (or Message Digest 5) is a 128-bit cryptographic hash function developed by Ron Rivest (the 'R' in RSA) which produces a 128-bit summary (or digest) of a file.  It was intended and always assumed that locating two source files which produced the same 128-bit hash was cryptographically 'difficult' to achieve, thus allowing the hash to act as some kind of proof that the file was unaltered.

Extending the Chinese research, it became obvious that all that was needed was to isolate a small portion of the second file and 'fiddle' with that section until a hash collision was achieved.  Obviously, that would require fiddling with either unimportant or non-obvious portions of the file – suggestions include random padding or (much smarter) graphics images where seemingly invisible changes can be made without altering the appearance of the picture.

All well and good.  But how might that be used?

Enter Alexander Sotirov and his fellow presenters at last night’s CCC Conference presentation.

They have found an easy way to duplicate an intermediate Certificate Authority’s (CA) certificate and masquerade as a legitimate (but actually bogus) Intermediate Certificate Authority which will be trusted by ALL major browsers.  This is achieved by a rapid computation of the bogus information to match the MD5 hash of the valid data.  Note that (at the moment) rapid = roughly a day of computation on a cluster of 200 PS3s.

In case you’re wondering, that have actually done it; they have a fully-configured, seemingly valid CA which is entirely fake.

Read on for why the internet isn’t quite as broken as this all might suggest, and further on for why it really is seriously broken.


Start 1 2 3 Next 

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases