Security Advisory

Microsoft Security Advisory 961509

Research proves feasibility of collision attacks against MD5

Published: December 30, 2008

Microsoft is aware that research was published at a security conference proving a successful attack against X.509 digital certificates signed using the MD5 hashing algorithm. This attack method could allow an attacker to generate additional digital certificates with different content that have the same digital signature as an original certificate. The MD5 algorithm had previously shown a vulnerability, but a practical attack had not yet been demonstrated.

This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information. Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm.

While this issue is not a vulnerability in a Microsoft product, Microsoft is actively monitoring the situation and has worked with affected Certificate Authorities to keep customers informed and to provide customer guidance as necessary.

Mitigating Factors:

  • Microsoft is not aware of specific attacks against MD5, so previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. This issue only affects certificates being signed using MD5 after the publication of the attack method.
  • Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. Customers should contact their issuing Certificate Authority for guidance.
  • When visited, Web sites that use Extended Validation (EV) certificates show a green address bar in most modern browsers. These certificates are always signed using SHA-1 and as such are not affected by this newly reported research.

General Information

Overview

Purpose of Advisory: To assist customers in assessing the impact of this research announcement on their current certificate deployments.

Advisory Status: Issue Confirmed. No Security Update Planned.

Recommendation: Review the suggested actions and configure as appropriate.

References Identification
Microsoft Knowledge Base Article 961509

This advisory discusses the following software.

Affected Software
None.

Frequently Asked Questions

What is the scope of the advisory?
This advisory aims to assist consumers in assessing the risk of certain applications using X.509 digital certificates and to recommend that administrators and certificate authorities cease using MD5 as an algorithm to sign digital certificates.

Is this a security vulnerability that requires Microsoft to issue a security update?
No. Technologies that use a signing mechanism other than MD5 have been available for some time, and the use of MD5 as a hashing algorithm for signing purposes has been discouraged and is no longer a best practice. Microsoft will however evaluate any opportunities to strengthen technologies to detect fraudulent certificates. Although this is not a vulnerability in a Microsoft product, Microsoft is issuing this advisory to help clarify the actual risk involved to customers.

What causes this threat?
The root cause of the problem is a known weakness of the MD5 algorithm which exposes it to collision attacks. Such attacks would allow an attacker to generate additional certificates that have the same digital signature as an original. These issues are well understood and the use of MD5 for specific purposes that require resistance against these attacks has been discouraged. However, these attacks have up until recently been considered difficult to implement. Recent research has now proven that collision attacks are feasible. At Microsoft, the Security Development Lifecycle has required Microsoft to no longer use the MD5 algorithm as a default in Microsoft software.

What might an attacker use this function to do?
An attacker could apply these attacks to fraudulently appear to a user as a legitimate, signed Web site or to send fraudulently signed e-mail. However, the techniques to perform these attacks and the underlying cryptography that facilitate them were not released by the researchers. Attacks would be very unlikely to be implemented at this point in time.

Suggested Actions

  • Review the Microsoft Knowledge Base Article that is associated with this advisory
    Customers who are interested in learning more about the topic covered in this advisory should review Microsoft Knowledge Base Article 961509.

  • Keep Windows Updated
    All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

  • Do not sign digital certificates with MD5
    Certificate Authorities should no longer sign newly generated certificates using the MD5 algorithm, as it is known to be prone to collision attacks. Several alternative and more secure technologies are available, including SHA-1, SHA-256, SHA-384 or SHA-512.

    Impact of action: Older hardware-based solutions may require upgrading to support these newer technologies.

Other Information

Resources:

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • December 30, 2008: Advisory published

Built at 2014-04-18T13:49:36Z-07:00