Guest post by Chris Eng
In the wake of this morning's 25C3 presentation by Alex Sotirov and Jacob Appelbaum, most of the coverage I've read so far has focused on the technical details and real-world impact of their findings. Rightly so -- their paper describing the attack is a fascinating read filled with enough gory details to make any security practitioner salivate.
To summarize, the crux of the attack was the fact that certain certificate authorities (CAs) still use the MD5 algorithm to sign SSL certificates. The researchers exploited this implementation by harnessing some existing academic research on MD5 chosen-prefix collisions and sprinkling in a few additional tricks.
The most frustrating part of this whole debacle is that it should have never happened.
Like any widely-used cipher, MD5 has been scoured for weaknesses by crypt-analysts since its introduction in 1991. The first significant cracks in the surface appeared at the CRYPTO 2004 conference in August 2004, when Xiaoyun Wang presented a paper entitled Collisions for Hash Functions that described a method for producing MD5 collisions.
History has shown repeatedly that cryptanalysis is an evolutionary process. Each subsequent compromise builds on top of prior work, and each new attack is more practical than the last. The Wang presentation should have been a wake-up call that the clock was ticking on MD5. But, aside from the security community, nobody paid much attention.
At the time, I was employed as a security consultant for @stake, and I can remember revising all of our deliverable templates to remove any mention of MD5 from our best practices or boilerplate text. Even some of my own colleagues were split on whether that was necessary, since the attack didn't have any practical implications yet. I agreed that we had no reason to act like the sky was falling, but it would only be a matter of time until a practical attack would be discovered. As such, our customers should be advised, at the very least, to eradicate MD5 from their code going forward.
But people tend to be lazy. The typical enterprise mindset can best be summarized as "if it can't hurt me today, stop bothering me," and that probably won't change anytime soon. For an enterprise application, the risk is bounded. If you choose to use a weak hash algorithm in your custom web application, you only hurt yourself and your customers. Apparently, that is a risk people are willing to take, even though switching hash algorithms is a fairly trivial code modification.
A few years later, right on cue, Marc Stevens released a master's thesis entitled On Collisions in MD5 (.pdf), detailing a chosen-prefix attack against MD5. This was a significant breakthrough and one crucial step closer to the practical, real-world attack revealed today in Berlin.
It's an absolute travesty that the CAs failed to act not only on the Wang research, but on every other MD5 attack that has materialized since. Any organization who is in the business of selling trust should take all possible measures to be trustworthy, and the CAs failed miserably in that regard.
* Chris Eng is senior director of security research at Veracode. He is currently removing root CAs from his web browser.