Introduction
The rapid developments in the Information Technology (IT) domains which have been fueled by the emerging needs in the ever evolving IT world have led programmers and system developers to create better models of surmounting challenges of the contemporary world. The development of computer phenomenon has been experiencing tremendous changes in its multi-dimensional composition. The developments have also rippled over into database technological design. New needs and challenge emerge on the aspect of data warehousing, data security, network, optimisation of data system functionalities and performances; this has led to the revolutionarisation of the IT domain with notable strides thrust in the database technology and internet security realms. The report discussed and explored in this paper is a detailing of empirical search experimentation findings on the loopholes and vulnerabilities of Digital Certificates generation owing to the unearthed loopholes or weaknesses of one of popular encryption method known as MD5.
Main body
The featured article is a technical article detailing some IT problem scenario and dynamics particularly on the subject of data security. The problem scenario entails a data ware housing injection loopholes associated with the popular MD5 algorithm in which the researchers have unveiled new possibilities of internet attacks. The findings by researchers come as way of protracted and ongoing research of the internet security solution finding mission aimed at the eradication of instances of rogue web activity. According to the article the researchers have illustrated how an attack which enabled them to successfully generate a rogue Certification Authority (CA) certification. The certificate would be passed as genuine by all web browsers and enable an injector to impersonate a website even those which have been secured by the HTTPS protocol.
The article which has been drafted in the composition of technological review and typical IT periodical or scientific review is deep into the technical aspect of the subject in focus, internet security in this case. The article features the research findings by Internet Security experts from different countries enlisting USA, Switzerland and Netherlands who have experiment with the functionalities of a popular internet security encryption method known as MD5 to illuminate the loopholes and vulnerabilities of the security method. Deeper into the technical aspects of the subject focus the experts have unearthed and detailed the vulnerabilities that come with the internet public Key Infrastructure (PKI) that is instrumented to generated as well as issue digital certificates for secure websites. According to the report article, identified loopholes obtain in the MD5 cryptographic hash facility which enables the generation of different messages with similar MD5 hash termed as an MD5 collision in the parlance used in eth report article.
What is notable about the composition of the paper is its presentation of the material. The paper entails components on the potential problem scenario. The report then details possible attacks and then the further outlines a possible web criminal behavior scenario leveraged on the identified loopholes. According to the report, internet data criminals will be in a position to generate a fraudulent CA certification which would be tacitly held as genuine by many web browser applications. This would enable the browsers to display the focus sites as SSL secured indicated by an intact padlock at the down right side corner of web page. Chris Mcnab (2000) sheds more light on SSL. Secure Socket layer (SSL) is an adopted internet security method which has come to be popularly used for the protection of data in transit which incorporates all network services that make use of TCP/IP to leverage for typical applications functionalities and tasks of data exchange between serves and clients”. In the featured and detailed internet security loophole as the report enlists that the hackers can manipulate the MD5 encryption method to have inauthentic sites passed as SSL secure. These would then be able to conduct critical transactions and put all sensitive internet data warehousing at jeopardy. The report gives more precise detailing on the forgoing outlining that; precisely the criminals would be in position to perform transparent man-in-the-middle forms of internet attacks against associative SSL links and connections and thus be able to monitor and meddle with traffic as a way of secure websites as well as email server. The report quotes from the researchers that this successful proof-of-concept come as an indication to the reality that the certificate authentication that is run by all web browsers can be compromised and severely subverted to meet the ends of the web felons. Also web criminals (attackers) have the leeway to monitor rand/or interfere with data transmitted to ‘secure’ websites according to the attack possible detailing in the article.
The paper takes a significant thrust at providing details supporting presented claims and findings. As a technical research review the paper presents the evidence upon which claims and positions presented are based. In the report experts Appelbaum and Sotirov are cited indicating that MD5 has been broken since year 2004 a time when the first ‘collision’ attack was established. Another piece of empirical research presented includes the mention of another strong collision attack which was also established in 2007. In close connection with the implications of the foregoing (detailing of empirical evidence upon which claims and findings are based) the paper presents the concerns that despite proved vulnerabilities as well as loopholes since the first attack identification in 2004, MD5 signing is still extensively used by numerous digital and online certification entities which include the following; including RapidSSL, FreeSSL, TrustCenter, RSA Data Security, Thawte, and verisign.co.jp.
As a technical detailing empirical research findings, evidence and implications, the article entails recommendations drawing from the implications of the reported findings. More precisely the paper presents recommendations for internet security practitioners to move to more secure cryptographic hash functions such as SHA-1 and SHA-2. Michael E Whitman (2003) outlines that SHA Hash functions are a grouping of cryptographic has functions tailored to by the National security Agency (NSA) and published under the auspices of NIST as a US federal Information processing Standard. SHA is an acronym for Secure Hash Algorithm. Michael E Whitman (Op.cit) notes that the three SHA algorithms are designed uniquely and are distinguished as SHA-0, SHA-1, and SHA-2.futehr notes that the SHA-2 family employs an identical algorithm with a variable key size which is categoried as SHA-224, SHA-256, SHA-384, and SHA-512.
In tandem with the recommendations entailed in the empirical research findings concurs that SHA-1 is the best of the SHA hash security modeling whose use has become widely popular in numrous web security platforms and protocols. The research experts have mentioned that the affected CAs have been notified and will have to be moving to SHA-1 hash as soon as possible. The mentioning of the notification of the identified CAs is part of typical empirical research reportage since much of technical research comes with implications and courses of actions that are modeled and implemented in tandem with consequences spurred by authentic research findings. Brent Chapman (2004) notes that the outlining of recommendations and detailing of notifications on identified system weaknesses is a popular feature of technical research report especially in IT. (Brent Chapman et al 2004)
On another thrust the article entails an assurance of safety for customers mentioning that although the reportage is on the internet security loopholes of MD5 are new disclosure the clients are not necessarily at risk since the researchers have not published the cryptographic background of the identified attacks. The paper also reinforces that the attack is not repeatable without the background information. The concerted efforts to assure users is incorporate efforts by Software giant Microsoft who are cited in the report indicating that they are not aware of the active attacks employing the identified MD5 vulnerabilities but are liaising with certificate authorities to make sure that they on up to the intricacies and implications of the findings of the research reported in this article. MS is reported to forthright in urging certification authorities and all other related entities of interest to migrate to the newer SHA-1 certificate singing algorithm.
The research findings, details and implications are also ratified by related reportages on similar internet security researches. On another article by Angela Moscaritolo there is mention of grave consequences for internet security practitioners that have not heeded the warning to migrate away from MD5. The writer importantly mentions that Certification Authorities (CAs) are causing a rippling effect of internet security problems that affect user beyond their own company clientele and operational landscapes. The writer urges companies to move to more secure cryptographic hash functions. The writer quotes Chris Wysopal co-founder and Chief Technology officer of application security company Veracode. The chief sounded a strong warning that more collisions can be expected from the vulnerabilities featured in the scholar paper which are similar to those in the first articled explored. According to the Wysopal Certification authorities have had at least two years to upgrade to new and safer algorithms and they have waited until they have been furnished with evidence of MD5 loopholes and injections. The chief has rung a dire warning that all web security practitioners are vulnerable to the discovered insecurities even practitioners that with a web certification from a CA which employs more sure cryptographic hash function than the popular MD5 like SHA-1 and SHA-2. According to the expert this is due to the fact that as long as there remains CAs making use of MD5 an attacker can possibly forge a certification from them and go on to impersonate any ‘secure’ website.
Conclusion
In summation, the article (s) analysed comprised reportage on IT empirical research findings. The paper presents a detailing of the explored security dynamics in the domains of internet data warehousing and internet security. The paper is comprehensively and professionally weaved up as a well structured research review outlining the problem scenario, and its implications. The paper culminates in recommendations urging web security practitioners to migrate to safer certification generations algorithms and curtail the illuminated problem which has pervasive effects that can go beyond one insecure domain and can potentially harm expanse and sensitive internet networks across the web.
References
- Alan Schwartz, 2003 Practical UNIX and Internet Security, Oak Press, New York
- TIM Speed, 2002, the personal Internet Security Guide Book, Keeping hacker and Crackers Out, MILen Press, Sidney
- Chris Mcnab, 2000, Implememnting Security Assesmnet, Knw Your Netwok, McGraw Hill,London, UK
- Brent Chapman, Elizabeth D. Zwicky, 2004, Building internet Firewalls, Networx Publishing, Londo, UK
- Michael E Whitman, Herbert J Mattord, 2003, Principles of Information Security, Milen Press, Oxford, UK
- Harold F. Tipton, Micki Krause, 2005, Information Security Management Handbook, Mcgraw Hill, USA