- By Category
- Entrust Authority
- Entrust SSL Certificates
- Entrust Entelligence
- Entrust GetAccess
- Entrust IdentityGuard
- Managed Services PKI
- Entrust Secure Transaction Platform
- Entrust TransactionGuard
- Entrust TruePass
- Entrust USB Tokens
- Products A-Z
Entrust SSL Certificates Not Affected by MD5 Vulnerability
Jan 12, 2009
Entrust SSL certificates based on SHA-1 standard, not issued via automated process
DALLAS, Jan. 12 /PRNewswire-FirstCall/ -- During the December 2008 Chaos Communication Congress in Berlin, Germany, researchers presented a demonstration on how to forge apparently-authentic digital credentials - notably SSL digital certificates - by taking advantage of a loophole in the use of the MD5 cryptographic hash function, an older 128-bit function that is still supported by today's Web browsers.
Entrust Certificate Services customers can be assured that all Entrust SSL certificates are based on SHA-1 - a hash algorithm developed by the National Institute for Standards and Technology (NIST) - and are not susceptible to this security concern. As a technology leader, Entrust is proactive in its approach to evolving security practices and is very involved in the formulation of new standards, including collaboration with such organizations as the CA/Browser Forum.
"The science of cryptography is rife with subtleties; seemingly harmless choices can sometimes have unexpected and dangerous consequences," said Entrust Director of Advanced Security Dr. Tim Moses. "In order to maintain a sound security posture, it is important to partner with vendors that reflect the latest cryptanalytic developments in their products and services."
To discuss these latest developments, Dr. Tim Moses authored "Exploiting weaknesses in the MD5 hash algorithm to subvert security on the Web". This technical white paper explores the Web PKI, digital signatures, hash algorithms, MD5 weakness and recommended precautions. To read more please visit: http://www.entrust.com/resources/download.cfm/23639/
Representing the highest level of SSL security, Extended Validated (EV) SSL certificates remain the only certificates that are issued to a set of industry-accepted guidelines. These guidelines not only consider verification requirements, but also address technical security requirements such as minimum key sizes, crypto algorithms and certificate extensions. As there are no guidelines for non-EV certificates, Entrust uses the current EV guidelines as a reference standard and has adopted many of its requirements in the issuance of other Entrust SSL certificate types.
"While the use of the MD5 hash standard is not in common use, these findings confirm that technology leaders need to constantly evolve and advance online security standards," said Entrust Senior Vice President Kevin Simzer. "This new ability for criminals to possibly obtain authentic-looking digital credentials makes securing online environments that much more challenging."
Additional concerns regarding SSL digital certificate verification were discovered last week when a technology blogger reported how he was able to obtain an illegitimate SSL digital certificate by taking advantage of an automated process that is popular with some certification authorities (CAs). The loophole was created when the person was able to fraudulently obtain digital certificates by exploiting the Domain Verification (DV) process.
Instead of involving human specialists in vetting each and every request for a certificate, the DV technique uses an automated process. While an automated process does reduce SSL vendor cost, it is subject to vulnerabilities that make it easier to obtain illegitimate SSL certificates.
In the interest of maintaining trust, Entrust does not issue domain-only verified SSL certificates. Each Entrust SSL digital certificate is issued only after a thorough, personalized organizational vetting process.
Extended Validation refers to rigorous, industry-standard validation methods used by certification authorities before issuing an EV SSL certificate. Conceived in response to the growing threats of phishing and man-in-the-middle attacks, Extended Validation SSL certificates were created by the CA/Browser Forum. EV SSL certificates are issued to Web sites only after rigorous validation of their identity. Current-generation Web browsers -- Microsoft Internet Explorer 7, Mozilla's Firefox 3, Opera 9.5 and Google Chrome, for example -- reflect this higher level of identity assurance with prominent and distinct trust indicators.
Entrust Extended Validation and Advantage SSL digital certificates are available for purchase through Entrust's Certificate Services Web site at www.entrust.net.
Entrust secures digital identities and information for consumers, enterprises and governments in more than 2,000 organizations spanning 60 countries. Leveraging a layered security approach to address growing risks, Entrust solutions help secure the most common digital identity and information protection pain points in an organization. These include SSL, authentication, fraud detection, shared data protection and e-mail security. For information, call 888-690-2424, e-mail email@example.com or visit www.entrust.com.
Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. In Canada, Entrust is a registered trademark of Entrust Limited. All Entrust product names are trademarks or registered trademarks of Entrust, Inc. or Entrust Limited. All other company and product names are trademarks or registered trademarks of their respective owners.
AP Archive: http://photoarchive.ap.org
PRN Photo Desk, firstname.lastname@example.org
SOURCE: Entrust, Inc.