Attacks against cryptographic algorithms recently made headlines when a group of researchers from the United States and Europe demonstrated at the 25th Annual Chaos Communication Congress in Berlin how they could create forged digital certificates based on the MD5 (Message-Digest algorithm 5) hashing algorithm using about 200 Sony PlayStations. The MD5 hash function was used to create some of the digital certificates used by VeriSign to authenticate Websites.
Hash functions are used to create public-key algorithms to encrypt files and generate digital signatures for Websites and to authenticate applications, as well as in authentication schemes for a wide variety of applications and products including Secure Sockets Layer for communicating over the Web and within VPNs. Hash values can also be used as fingerprints for detecting duplicate data files, file version changes, and similar applications, or as checksums to guard against accidental data corruption.
The cracking of MD5 meant that forged digital certificates could be created to fool Website visitors into thinking a bogus Website was, in fact, legitimate -- an obvious potential boom for phishing sites. Shortly after the researchers' announcement, VeriSign moved to update all of the certificates it issued using MD5 to SHA-1 (Secure Hash Algorithm-1).
Security analysts have been urging organizations to stop using the aged MD5 algorithm for a number of years and to replace it, at the very least, with SHA-1. But, increasingly, experts say SHA-1 may only have a few years of usefulness left before it no longer provides a viable level of security.
"Weve got MD5 today, which is completely broken, but too many people are still using," says Paul Kocher, president and chief scientist of Cryptography Research, who helped author the SSL 3.0 standard. "And the recent work completed by researchers showed how easily MD5 certificates could be forged." But, Kocher adds, those organizations that have upgraded to SHA-1 may be looking at a situation where they'll have to update that aging algorithm in the next few years.