Those watching the advances in crypto-analytics over the last couple years (since 2004 If I recall correctly) have had interesting ride, well as interesting as crypto-analytics is.
A group of researchers just published the 1st "practical" MD5 attack, they created a rouge CA certificate that matches that a trusted CA, read this for more information.
Some highlights of the attack include:
- Attacker was able to take advantage of CAs that uses predictable serial numbers that issues certificates within a predictable amount of time
- Attacker has full control of the first 500 bytes of the colliding certificate, which means they can generate a subordinate CA certificate with a serial number unknown to the commercial CA
- The attack generates RSA keys that can be used to produce valid signatures
- The amount of time needed to generate a RSA key pair that will produce a collision is around 3 days (using a cluster of 200 PlayStation 3 machines running Linux)
- Certificate revocation cannot be used as a mitigation, unless the key being attacked is associated subordinate and the issuer is willing to revoke that certificate (affecting all children, even the legitimate ones).
- This is not a 2nd order pre-image attack and does not affect previously issued certificates
This means that they can trivially mint certificates (or any other signed object) of their choosing's that will be accepted as trusted by any entity (most commonly browsers and certificates) that trusts this key.
It sounds as if they are being responsible researchers by withholding the details of their attack until the affected Certification Authorities have had some time to re-issue those certificates.
In the end though, this is really the death-knoll of MD5, its now officially no better than a CRC.
As an application and protocol developer I have always strived to make my designs crypto-agile and agnostic to accommodate for varying customer needs, later in life when I started to appreciate the life-cycle of a cryptographic algorithm I also started to attribute those design decisions to algorithm sunseting as well; the hard part though is not design, its the operational and legal implications of such a transition.
As I said, those watching things advance over the last few years should have been preparing for this, and hopefully have action plans in place or already executed mitigating the implication of the result of the attack in question; the longer term implications though require us to move away from MD5 and the algorithms that have similar properties to it (even SHA-1 even though currently its still generally considered safe)
This is why NIST has spun up the Hash Workshop, one of my co-workers, Niels Ferguson [warning PDF link] has a horse in the race with some of his fellow cryptographers, only time will tell how this will turn out.