"MD5 Considered Harmful Today"

Yesterday (December 30, 2008) was published a very interesting paper called “MD5 Considered Harmful Today – Creating a Rogue CA Certificate”, authored by Alexander Sotirov, Marc Stevens,
Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger.

This paper describe the usage of collisions on the MD5 hash function to forger a intermediate CA certificate with a valid signature from a “trusted” root CA, based on an end entity certificate issued by the same “trusted” root CA.

Besides the theoretical foundations of the collision search algorithm, there are lots of interesting engineering aspects described in the paper, namely:

  • The search for root CAs that use MD5
  • How to predict the serial number and validity period of the end entity certificate issued by the root CA
  • How the collision search space was defined
  • How a cluster of Play Station 3 was used to run the collision algorithm

The paper also contains a set of recommended counter-measures against the described attack.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s