Skip to: [ search ] [ menus ] [ content ] Select style [ Aqua ] [ Citrus ] [ Fire ] [ Orange ] [ show/hide more content ]



It’s dead, Jim…

…effectively… the MD5 encryption algorithm (cryptographic hash function), that is.

The MD5 algorithm is one of the algorithms that has commonly been used in secure transactions over the Internet using SSL (secure sockets layer). Other algorithms (e.g. SHA-1; which has mathematical weaknesses of its own) have also been used. Such secure transactions are used by banks, other financial institutions, and e-commerce sites. The MD5 algorithm has been known publicly to be weak since 2004, but, until now, nobody has published a practical attack based upon the weakness.

The attack published this week uses a forged authentication certificate and offers a “proof of concept” for the impersonation of “secure” Web sites. (Note added January 2, 2009: I once wrote about pretty green bars in browsers merely “raising the bar” a little higher for bad guys, or selecting for a “better class” of crackers, if you will. It looks like the pretty green bars have selected some “good guy” hackers at UC Berkeley.)

David Molnar, a doctoral student in computer science at the University of California, Berkeley, and six other researchers presented their findings during an afternoon session of the Chaos Computer Club’s annual conference in Berlin, Germany, Tuesday, December 30. Other team members included Jacob Appelbaum and Alexander Sotirov.

VeriSign, which operates the largest certificate authority in the world, acted quickly by removing the MD5 algorithm, as described in the blog of Tim Callan, vice president of product marketing.

Although the title of the CNET article is a little misleading (to me at least), since the browser is doing what it is “supposed to,” the article provides a good general overview of the attack, for the non-security specialist.

-Bill at Cheshire Cat Photo™

You can view higher-resolution photos (*generally* 7-30 megabytes, compressed) at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. Apparel and other gifts decorated with some of our most popular photos can be ordered from the Cheshire Cat Photo™ Store on CafePress®. Both Shutterfly™ and CafePress® ship to most international locations worldwide! If you don’t see what you want or would like to receive an email when new photos are up on the site, send us an email at info@cheshirecatphoto.com.

No Comments to “It’s dead, Jim…”

  (RSS feed for these comments)

You must be logged in to post a comment.


InspectorWordpress has prevented 52153 attacks.
Get Adobe Flash player