First let me say that this article is not meant to diminish the work that Alexander Sotirov et. all have been doing for the past 6 months. It’s good work, has brought about some awesome results, and has demonstrated what was once a theoretical attack on PKI certificates based on MD5 hash collisions. What I’m amazed at is that it had the impact that it actually did.
I’m also surprised that Verisign then whined about not having any details about the problem or enough time to fix the problem before the details were made public at the recent Chaos Communication Congress. Ignoring for the moment that they did have information directly from this research effort via Microsoft and it got “lost in the holiday mix”, what more information do you really need than the fact that MD5 has been broken for years and you shouldn’t have still been using it in the first place? Verisign’s products and business model is almost entirely based on cryptography; they really should be current with their core-competency subject-matter and really have no excuse at all to still be using MD5 anywhere.
The National Institute of Standards and Technology (NIST) decertified MD5 for secure operations nearly a decade ago. This was the point when the people responsible for it’s use in various security systems (like PKI!) should have started the process of selecting a successor hash algorithm for their systems to use and migrating to it. Significant advances in MD5 hash collision attacks, among other algorithms, were later presented at CRYPTO 2004. This was the point, nearly six years after the original NIST decertification, that usage of MD5 should have been minimal and if you were still using it you should have immediately addressed that fact.
And here we are, an additional four years later, and MD5 is still being used in SSL certificates issued by the “industry leaders” of that space. And they claim they didn’t have enough time to fix the problem? Really?
The thing about cryptanalysis is that once an algorithm is broken, no matter how trivial that initial break may be, it only gets worse from there. I’m concerned that the companies that manage all of these PKI systems that are now moving away from MD5 are apparently moving to SHA-1. NIST has already recommended abandoning SHA-1 in favor of SHA-2 (256, 512, etc.) and is scheduled to decertify SHA-1 in 2010. SHA-1 has already been successuflly colission-attacked back in 2005, and as I said, attacks against SHA-1 will only get worse now that it’s initially been broken. These companies should be skipping SHA-1 entirely and moving straight to at least SHA-256 or SHA-512 until the currently ongoing NIST hash competition selects the next standard hash algorithm which will then be renamed to SHA-3 (my money’s on skein). Anyone moving from MD5 to SHA-1 is only setting themselves up for a likely repeat of the same problems in a couple of years from now.