Hackers Break SSL Certificates

by Brad K on 01/05/2009 in Security, Security Info

SSL certificates have become a huge part of Internet security. SSL certificates use hash codes generated by a variety of algorithms, to verify their issuer’s identity. The hash code is an important feature of public-key cryptography, which SSL is based on. SSL is used to protect the secret, private code that CAs uses to sign SSL certificates.

The researchers exploited a weakness specific to hashes generated with the MD5 algorithm. The MD5 algorithms are prone “collisions” or to multiple inputs producing the same output.

Security researchers knew that it was possible for MD5 collisions as early as 2004. Most researchers dismissed this as theoretical. The 25C3 researchers said they ran the attack, using a network of 200 PlayStation 3 game consoles at a cost of $657. The attack took only 4 weekends.

Using Amazon’s cloud-computing EC2 service, and about $2000 researchers say they could perform a similar attack. The attack would take about a day.

A successful attack would allow attackers to appoint themselves as an Intermediate Certificate Authority, and then generate trusted certificates without having to contact a real CA. The spoofed certificates could then be used to add the appearance of legitimacy to a phishing site designed to steal bank account passwords, for example.

The Extended-Validation SSL certificates cannot be cracked by the exploit demonstrated at the 25C3 presentation.

Microsoft reportedly downplayed the threat, stating that the researchers withheld important information that renders the attack “not repeatable”.

Customers holding an MD5-signed SSL certificate will need to contact their CA to acquire and install a new certificate on their servers.