Yesterday (December 30, 2008) was published a very interesting paper called “MD5 Considered Harmful Today – Creating a Rogue CA Certificate”, authored by Alexander Sotirov, Marc Stevens,
Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger.
This paper describe the usage of collisions on the MD5 hash function to forger a intermediate CA certificate with a valid signature from a “trusted” root CA, based on an end entity certificate issued by the same “trusted” root CA.
Besides the theoretical foundations of the collision search algorithm, there are lots of interesting engineering aspects described in the paper, namely:
- The search for root CAs that use MD5
- How to predict the serial number and validity period of the end entity certificate issued by the root CA
- How the collision search space was defined
- How a cluster of Play Station 3 was used to run the collision algorithm
The paper also contains a set of recommended counter-measures against the described attack.