The MD5 cryptographic hashing algorithm had taken a beating from security researchers in the early 2000s. It was getting cheaper and easier to generate MD5 collisions. That is, two different blobs of data could be generated that had the same output digest when run through the MD5 algorithm, sometimes with attacker-controlled input (a chosen-plaintext collision).
The implications of practical collision attacks against hashing algorithms such as MD5 are widespread. However, attacks up to 2008 had been primarily academic in nature: “Hey, look I can generate two giant files that have the same MD5 hash, if I lease out the supercomputer for a month.”
Free eBook: Modern Retail Security Risk – Get your copy now.
A group of security researchers decided to challenge the real-world security of the MD5 algorithm and targeted the Certificate Authorities (CAs) and PKI that form the underlying trust of SSL/TLS communications on the Internet. It turns out that several CAs were still using the MD5 algorithm for ensuring the integrity of their certificates.
So, this group of researchers pulled off a practical and severe MD5 collision attack against a CA’s certificate, allowing them to forge their own CA certificate and sign new valid certificates (eg. google.com) with it. And it didn’t take a ton of time and money, just a day or two using 200 Playstation 3s.
So, MD5 was ejected from use by CAs, and SHA-1 was the new algorithm of choice.
Ok, fast forward back to today.
The SHA-1 algorithm that we replaced MD5 with is facing similar pressure and attacks. We’ve also seen that it’s not just academic researchers we need to worry about, but large nation-state intelligence agencies that have more funding and resources than a few Playstation consoles and plenty of motivation and newly-documented ambition to break much of the cryptography used on the Internet to secure communications.
In fact, besides all the Snowden/NSA docs, the Flame malware discovered back in 2012 that is rumored to have been written (at least in part) by US intelligence agencies used an advanced private-developed variation of the MD5 collision attack in order to create a forged Windows Update certificate.
While SHA-1 is not in the same immediate peril as MD5 was back in 2008, we’ve learned to be a little more progressive in terms of Internet security, given a better understanding of where the intelligence community may be at in terms of capabilities compared to the attacks against SHA-1 that are publicly disclosed by academic researchers. So, to get a bit ahead of the curve, CAs have begun to issue SHA-2 based certificates and are slowly deprecating any SHA-1 certificates to avoid history repeating itself.
To accelerate the migration from SHA-1 to SHA-2, Google has decided to warn users about SHA-1 certificates in the Chrome web browser. In other words, if you visit a website that has not yet moved to a SHA-2 SSL certificate, Chrome will display a warning in the address bar where the “SSL lock” usually is. These changes to the Chrome web browser will likely hit hundreds of millions of Internet users this week with the release of Chrome 40, so get ready for warning-palooza!
To learn what this means for Duo customers and for normal users, please view the original article on Duo Security’s blog here.
By Jon Oberheide, Co-founder and CTO, Duo Security | @jonoberheide
About Duo Security