Vulnerability of a Cryptosystem
The vulnerability that has been discovered has a primary affect to a cryptosystem and a secondary affect to a cryptosystem. The vulnerability in question is a weakness in the MD5 algorithm that would allow for collisions in output. As a result, attackers can generate cryptographic tokens or other data that illegitimately appear to be authentic.
Now the secondary affect is that the MD5 hashes may allow for certificate spoofing on a Cisco ASA system.
If an attacker was able to exploit this weakness on the University's cryptosystem, the said attacker could construct forged data in a variety of forms that will cause software using the MD5 algorithm to incorrectly identify it as…show more content…
Users of systems with the OpenSSL command line utility can view certificate properties using "openssl x509 -text" or a similar utility. Certificates listed as md5RSA or similar are affected. Such certificates that include strange or suspicious fields or other anomalies may be fraudulent since there are no reliable signs of tampering it must be noted that this workaround is error-prone and impractical for most users.
For the secondary affect, Cisco announced that the hashing algorithm used in the digital certificates on the Cisco ASA cannot be changed; however, the ASA is unlikely to be affected by the attacks described in this research due to the way certificates are generated on the device. Also the Cisco IOS CA may be vulnerable to the attack described in this research when configured to utilize MD5 hashes in endpoint certificates, this is by default.
The research that Cisco has mentioned for the weakness/vulnerability can be found here: http://tools.cisco.com/security/center/viewAlert.x?alertId=17341, listed below are (2) fixes that Cisco will be releasing for the Cisco ASA and the Cisco IOS CA. While Cisco does recognize the weakness/vulnerability in the MD5 algorithm, it plans to alter the signature algorithm used in digital certificates and modify the methods utilized in creation of CA and endpoint certificates. They will address this in Cisco Bug ID: CSCsw88068. For the Cisco IOS CA, it has been announced that the device can be reconfigured to utilize a more