Latest Posting to Security Corner: MD5 Hashing Algorithm No Longer Safe
Posted by: Ken Harthun
Just last week, two German security researchers, Alex Sotirov and Jacob Appelbaum, made a surprising announcement at the Chaos Communication Conference in Berlin: they had created a fraudulent Certificate Authority (CA) that had a valid signature from a root CA, Equifax, one of the oldest. The ramifications of this are far-reaching. Imagine what will happen if cyber criminals generate fraudulent certificates. [url=http://itknowledgeexchange.techtarget.com/security-corner/md5-hashing-algorithm-no-longer-safe/:17wlieqb]Read the entire post.[/url:17wlieqb]
Ken, for the security ignorant among us (including myself), can you elaborate a bit on what root CA valid signatures even are and what they do? Is this like a SSL certificate?
Thank you thank you!!
[quote="Ziggie":2trntmx4]Ken, for the security ignorant among us (including myself), can you elaborate a bit on what root CA valid signatures even are and what they do? Is this like a SSL certificate?[/quote:2trntmx4]
Hi Ziggie,
Yes, MD5 is a hash algorithm that has been used to verify the identity of the issuers of SSL certificates. Hash algorithms are used to reduce large data files to a simple, unique number that can then be used to identify the data in the same way that fingerprints identify humans. Valid root CA signatures on a certificate means that the CA has verified--through documentation, research, etc.--the identity of the issuer. You could get a certificate of your own if you wanted to provide a secure website that people would access using https://. The CA would ask you for certain identity information and when they were certain it was valid, would issue a signed SSL certificate to you.
Hope this clears it up a bit for you. I may do a newsletter article on the subject soon.
1 Guest(s)
