Ask the Expert

PKI vulnerabilities: How to update PKI with secure hash functions

I heard that at the Black Hat briefings this past July, researcher Dan Kaminsky demonstrated vulnerabilities in PKI cryptography. Can these vulnerabilities be practically exploited, and what can I do at my enterprise to prevent against that?

    Requires Free Membership to View

Yes, these vulnerabilities are real. The world of security is about reducing, not eliminating, risks and threats. What Mr. Kaminsky pointed out is that many PKI certificate common names are still being created using old hash functions -- MD5 and MD2 -- which are known to have exploitable weaknesses, instead of the stronger SHA-2 family of hash functions (SHA-224, SHA-256, SHA-384 and SHA-512).

Does this mean that PKI is no longer a trusted method of protection? No. As with any security technology, it's up to IT and security personnel to ensure that their protection and authentication technologies are kept up-to-date and that they follow the latest configuration and deployment recommendations such as those outlined by the OASIS Public Key Infrastructure Adoption (PKIA) Technical Committee or the NIST Federal PKI program (FPKI).

It's a fact that there are people out in the world actively working on gaining access to your information. PKI certificates, as an encryption/decryption method for protecting this information, are prime targets of attack, but they will still work well if the technology is kept current.

For more information:

This was first published in December 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: