Ed Stoffel

An encrypted digital certificate is used to assure you that you’re really on the website you think you are. But what if the certificate can be faked? That’s the scary scenario painted by researchers at UC Berkeley, who have found a way to crack the MD5 hash used to encrypted some certificates…

The researchers say they implemented an attack laid out theoretically in a published paper last year. To pull off their substitution, the researchers had to generate a CA certificate and a website certificate that would produce the same MD5 hash — otherwise the digital signature wouldn’t match the modified certificate. The effort was complicated by two variables in the signed certificate that they couldn’t control: the serial number and the validity period. To do the actual math of finding the MD5 collision, they used the “PlayStation Lab,” a research cluster of about 200 PlayStation 3s wired together at the EPFL in Lausanne, Switzerland. Using the powerful processors, they were able to crunch out their forgery in about three days.

They recommend signing authorities switch to a newer encryption method and drop MD5, but such changes will take time to occur worldwide. Most certifying authorities have abandoned MD5, but some continue to use it.

Isn’t the concept of wireless security an oxymoron? A recent congressional report says so. InfoWorld’s Ephraim Schwartz says:

The fact is when it comes to security if you’re using a wireless device for voice or data you might as well be standing in any international airport and speaking to a colleague over a megaphone. Oh, and you might want to slow down from time to time to let the crowd around you take notes.

The report recommends the creation of a domestic department to maintaining “sufficient manufacturing capabilities” at home to supply components and software that is not dependent on a global supply chain.

Some secure equipment is currently available, but it can be expensive. The Sectéra Edge can use commercial cellular bandwidth and is certified on AT&T, T-Mobile, and Sprint cellular networks, with Verizon due in January. The device goes for $3,150 with a one-year warranty.