Wednesday, January 14, 2009

Weakened Algorithm Threatens Online Identity

Monday, January 12, 2009

Weakened Algorithm Threatens Online Identity

How an outdated algorithm put secure Internet transactions at risk.

By Erica Naone   --- technologyreview.com

Most people know to look for a padlock icon in the corner of their browsers when banking or conducting other sensitive transactions online. In part, this means that the site has a certificate that has been verified by a higher authority to confirm its identity. Recently, however, a team of security researchers found that a critical security system can be undermined by taking advantage of the outdated algorithms that some companies used to create these certificates. A loose-knit group of security researchers from the United States and Europe presented details of the attack at the 25th Annual Chaos Communication Congress in Berlin at the end of December.

The padlock is part of the key online security protocol called SSL (Secure Socket Layer), and it appears as an assurance that a transaction is safe from eavesdropping, tampering, or forgery. A hacker can easily create a banking website that looks like the real thing, but it's much harder to forge the digital certificate that accompanies the site. This is because SSL uses a clever trick to create each certificate: two mathematically linked keys, one of which is kept secret while the other is published openly on the Internet.

Necessary firepower: Security researchers undermined the certificate system that secures sensitive online transactions. To perform the necessary calculations, the researchers used a cheap cluster of 200 PlayStation 3 machines. The multiple cores of the PlayStation 3 are particularly suited to performing the kinds of calculations needed for the attack, the researchers say. 
Credit: Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger. The cluster was sponsored by EPFL DIT and by a matching equipment grant from the Swiss National Science Foundation.

A select group of trusted higher powers--known as certificate authorities--can verify the identity of a website. An authority does this by checking that the site is genuine before combining its private key with the website's public key to create the certificate. A main part of the procedure also involves applying what's known as a hash function to generate a unique signature for the certificate. Anyone who visits that site can verify that this certificate is genuine by checking the signature and referring back to the certificate authority's public key.

All this happens behind the scenes, and popular browsers such as Internet Explorer and Firefox have built-in trust for certain certificate authorities, explains Paul Kocher, president and chief scientist of the security company Cryptography Research, who was involved in creating the latest version of SSL. Any certificate that can be traced back to one of those authorities is automatically trusted by the browser. "The entire browser trust model relies on all of the certificate authorities acting well," Kocher notes.

However, some certificate authorities still use a hash function called MD5 to produce certificate signatures. Most authorities have abandoned MD5 because researchers have shown it to be vulnerable to what is called a collision: under certain circumstances, it's possible to produce two certificates that will generate exactly the same digital signature.

A hash function's value disappears if it's easy to produce two certificates with exactly the same fingerprint, explains Marc Stevens, a PhD student in the cryptology and information security group at the Centrum Wiskunde & Informatica, in the Netherlands, whose work on MD5 was crucial to the research. Stevens has been producing collisions using MD5 for several years, enlisting the computing power of 200 PlayStation 3 consoles. The architecture of these machines' microprocessors is well-suited to the kinds of calculations needed for his work. Stevens says that it would take about 8,000 PCs to equal the power that the PlayStations provide. Using the hardware, the team was able to perform the calculations needed for the attack in the space of a weekend.

To pull off the attack, the team created a normal certificate and had it signed by a certificate authority that still uses MD5. However, the team engineered a collision to create a second certificate--an "evil twin"--that matched the signature of the first and also seemed to say that the original certificate authority had delegated its certificate-signing powers to the owner of the evil twin.

The evil-twin certificate could then be used to create certificates for any website on the Internet, allowing a malicious individual to impersonate trusted banking websites, padlock icon and all, without raising any of the alarms meant to protect users.

RapidSSL, a certificate authority owned by Verisign, issued the MD5 certificates that the team exploited. Independent security researcher Alexander Sotirov, who helped turn the theoretical work on MD5 into the real attack, says that the attack was possible not only because of MD5, but because of lax security in the way that RapidSSL issues certificates, which made it easy to produce a collision.

Just six hours after the researchers gave their presentation, Verisign announced that RapidSSL had moved to a more secure hash function. Tim Callan, vice president of product marketing for Verisign, explains that the company had been working on the move since it bought RapidSSL in 2006. However, he says, the company was proceeding cautiously because it didn't want to disrupt the SSL services already offered to its partners. "If you are arbitrary or capricious with that, then what happens is that people will respond by using lower-security alternatives," Callan says.

Sotirov credits Verisign for acting quickly in response to the attack, but says that the current infrastructure for certificates "is not working very well at all." He adds, "It's worrisome that so many certificate authorities are equally trusted," particularly when different authorities use different standards to verify the identity of potential clients and to secure the certificates that they issue. He says that market forces, which reward certificate authorities for fast response times and low prices rather than for good security, are creating a "race to the bottom" that increases the chance of security issues in the future.

Sam Curry, vice president of product management for security company RSA, which abandoned MD5 in its certificate authorities about a decade ago, says that he thinks it's important for companies to stay on top of theoretical attacks before they become real ones. "I'm thrilled, in a way, when people find these theoretical weaknesses because it means that we're actually doing real testing and real, deep thinking about it," Curry says. "I'm not thrilled when the practical ones roll out, because that's when people get hurt."

But Kocher says that it's unlikely that average users will be affected. While certificate authorities should pay serious attention to the researchers' attack, he says that, unfortunately, there are much easier ways to scam users online.