YOUR IT - Technology for you

No. 1 Story

Telstra adds one million mobile services, but Sensis plummets

Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.

 read more
StumbleUponSubmit to redditShare this on TwitterShare on facebook | Print |PDF 

More From

The Latest MD5 Attack - The Sky Continues to Fall

David Heath
Wednesday, 31 December 2008 17:32

Your IT - Home IT

Page 1 of 3
Overnight Australian time, at the 25th Chaos Computer Club Conference in Berlin, a presentation has described a successful method to create a rogue CA certificate.

Microsoft Office 365 Get your free Trial

Related Articles

Although officially 'broken' in 2004 when hash collisions were first reported, MD5 has continued to remain in vogue as no-one could figure out how to make use of the attack.

Consider the figuring-out to be over.

MD5 (or Message Digest 5) is a 128-bit cryptographic hash function developed by Ron Rivest (the 'R' in RSA) which produces a 128-bit summary (or digest) of a file.  It was intended and always assumed that locating two source files which produced the same 128-bit hash was cryptographically 'difficult' to achieve, thus allowing the hash to act as some kind of proof that the file was unaltered.

Extending the Chinese research, it became obvious that all that was needed was to isolate a small portion of the second file and 'fiddle' with that section until a hash collision was achieved.  Obviously, that would require fiddling with either unimportant or non-obvious portions of the file – suggestions include random padding or (much smarter) graphics images where seemingly invisible changes can be made without altering the appearance of the picture.

All well and good.  But how might that be used?

Enter Alexander Sotirov and his fellow presenters at last night’s CCC Conference presentation.

They have found an easy way to duplicate an intermediate Certificate Authority’s (CA) certificate and masquerade as a legitimate (but actually bogus) Intermediate Certificate Authority which will be trusted by ALL major browsers.  This is achieved by a rapid computation of the bogus information to match the MD5 hash of the valid data.  Note that (at the moment) rapid = roughly a day of computation on a cluster of 200 PS3s.

In case you’re wondering, that have actually done it; they have a fully-configured, seemingly valid CA which is entirely fake.

Read on for why the internet isn’t quite as broken as this all might suggest, and further on for why it really is seriously broken.


Start 1 2 3 Next 

Sponsored Announcements

Websense #1 in Web Security Fourth Year in a Row

David Bass | For the fourth year in a row, IDC has placed content security provider Websense (NASDAQ: WBSN) at the top of the IDC Worldwide Web Security 2011 –…

You may have missed


Advertisement

- sponsored feature -

The Death of Traditional BI: What’s Next?

How to Make Business Discovery Work for Your Business IP PABX BUYING GUIDE

Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases