Microsoft Security Advisory warned today that a possible attack against the MD5 hash digital certificate could allow an attacker to generate their own certificate with information from the original. Microsoft warned that only the X.509 certificates could be attacked, and suggests users to upgrade to the newer SHA-1 algorithm.

Although the information was not published publically to allow hackers the chance to launch attacks on the vulnerability, Microsoft is keeping a watch on the possible attack, even though the vulnerability does not come in a Microsoft product. The researchers that discovered the MD5 X.509 digital signature vulnerability did not post the cryptographic background to the attack, which cannot be reproduced without it, leaving little or no risk to users who still use the X.509 signature. Most Digital Certificates are no longer signed using the MD5 X.509 method, but use the more secure SHA-1 algorithm.

MD5 is a widely used cryptographic hash function that encrypts with a 128-bit hash value. The MD5 hash typically outputs a 32 digit hexadecimal number, using a specific algorithm to secure bits of information.

Posted: Dec 30, 2008 11:22 pm