This paper describes a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. By application of suggested scenario it is possible to create a rogue certificate, containing original electronic signature. This certificate allows to impersonate any website, including banking and e-commerce sites secured using the HTTPS protocol. Described technique takes advantage of a weakness in the cryptographic hash function, known as an MD5 collision.

Keywords: Дигитални сертификати, хеш колизија, PKI, сертификационо тело
Published on website: 1.1.1970