UPDATED 11:48 a.m.: Added more information about a 2001 certificate problem that involved Microsoft.
A team of United States and European computer security researchers have used a cluster of several hundred Sony PlayStation 3 video-game machines to exploit a basic weakness in the software system used to protect commercial transactions made via the Internet.
The attack is possible because a handful of commercial organizations that provide components of the basic security infrastructure of the Internet are using an older security technology — despite years of warnings that it is now potentially obsolete. The flaw would make it possible for a criminal to redirect a Web surfer to a fake bank or online merchant without being detected by the security mechanism embedded in today’s Web browsers. It could also be used to subvert e-mail communications and other applications that use cryptographic software for authentication and security.
The demonstration underscores that the commercial infrastructure of the Internet, as well as its privacy and security, are based on an advanced branch of mathematics that in the future may become vulnerable to more powerful computing systems and more clever attackers.
Today’s browsers display a tiny image of a padlock when a user has a secure connection to a Web site. This is intended to provide evidence that the Web site is legitimate, as the browser and the site exchange digital certificates provided by a certificate authority — a trusted third party.
Researchers have proved they can create fake certificates that will be accepted by the security system.
Although most certificate authorities have shifted to a more modern digital fingerprinting algorithm known as SHA-1, a small number have not. The digital certificate system is designed in such a way that if a single certificate authority can be compromised, it is possible for an attacker to mass-produce forged certificates that undermine the “web of trust” the entire system is based on. It relies on public key cryptography, a system in which each user creates a public and private key — long numbers — to help mathematically prove their identity and encrypt and decrypt information.
The results of the research were announced Tuesday afternoon in a paper the researchers presented at a technical conference in Berlin. The flaw is contained in an algorithm known as MD5, which is widely used to produce unique digital fingerprints. The weakness had first been discovered in 2004 by a group of Chinese researchers, but at the time, it still required vast amounts of computing to produce a forged certificate.
But the group of independent cryptographers and mathematicians, based in California, the Centrum Voor Wiskunde en Informatica and Eindhoven University of Technology in the Netherlands and the École Polytechnique Fédérale de Lausanne in Switzerland, were able to create a “collision” — generating two different messages sharing an identical signature — in just three days of computing. The researchers estimated that it would take a typical desktop machine about 32 years to perform the same calculations.
The researchers said that by creating a fake certificate, they had demonstrated that a critical part of the Internet security infrastructure is not safe. To ensure that it was not used for criminal purposes, Arjen Lenstra, the head of E.P.F.L.’s Laboratory for Cryptologic Algorithms, said they had created the certificate to be valid for only one month, August 2004, as a proof of concept.
Computer security specialists were divided on the significance of the exploit.
“This is good research,” said Bruce Schneier, chief security technology officer for British Telecom. “But in the scheme of things, how many people do we know who rely on these certificates for anything? When was the last time you checked your browser certificates to make sure they’re good?”
Others said that the researchers had done a valuable service by exposing lax practices in the industry.
“It’s shocking that a commercial certificate authority is still using only MD5,” said Paul Kocher, president and chief scientist of Cryptography Inc., a San Francisco-based computer security firm. “Although the problems with MD5 have been known for ages, the paper does an clever job of demonstrating how a badly run certification authority can be subverted.”
“It impacts 99 percent of the browser infrastructure and it goes beyond Web browsers,” said Jacob Appelbaum, an independent computer security researcher based in San Francisco. Also potentially affected are e-mail and chat servers and online collaboration systems.
Although the MD5-only certificate authorities were not identified in the paper, one of the California-based researchers, Alexander Sotirov, said that two low-cost providers of digital certificates, RapidSSL and FreeSSL, relied on the vulnerable protocol. Both of them are owned by Geotrust, a Mountain View, Calif., company that was acquired earlier this year by VeriSign. Mr. Sotirov said that the researchers had contacted the firm and that it was ending its reliance on the MD5 algorithm. Researchers said they were also investigating a Japan-based firm that appears to rely solely on MD5.
The certificate authority system has been subverted in the past. One case occurred in 2001, when VeriSign issued certificates to a person claiming to represent Microsoft. Because the certificates had the name “Microsoft Corporation,” they could have been used to convince someone that fraudulent software updates came from the software publisher. (Microsoft offered a software patch to deal with the problem.)
Comments are no longer being accepted.