Ever wanted to be an Intermediate Certificate Authority?
By Tom Corelis - January 4, 2009
Speaking at the 25th annual Chaos Communication Conference (25C3) earlier this week, security researchers demonstrated the first known application of a years-old theoretical attack against the MD5 hashing algorithm used by companies like Verisign and Thawte to issue SSL certificates. SSL certificates use hash codes generated by a variety of algorithms, including MD5, to verify their issuer’s identity. The hash code is an important feature of public-key cryptography, which SSL is based upon, as it is essential to protecting the secret, private code that CAs use to sign SSL certificates. By exploiting a weakness specific to hashes generated with the MD5 algorithm – namely, that they are prone to “collisions”, or multiple inputs producing the same output – an attacker could derive a working private key from a single, regular SSL certificate, and then use that key to sign future SSL certificates with the original CA’s signature.
Read more here -->Link
No comments:
Post a Comment