Cryptosystems have various challenges that render them vulnerable. Since the cryptosystem ensure data security and integrity, the weaknesses of such systems are very critical. The MD5 SSL has a critical vulnerability in that it is possible for one to create phishing sites that have valid SSL certificates. Such vulnerability is most probable using the HTTPS. In this case, the SSL certificates are made from an existing one using hash collision. Therefore, the users would think they are connected securely, and authentically while in actual reality they are connected to the attacker.
What the possible threats of such an occurrence? The attacker in this case is interested in various data in the university system. Although one may not know in particular the data the attacker requires, the following could be part of that. First, the attacker may want to manipulate the results of the student by stealing the identity of the administrators. Secondly, the attacker may be interested in the financial manipulation in that critical information on the financial status are stolen and or amended. In such a case, the university shall lose a lot in finances since some students or workers may appear as having paid or been paid yet it is not true o overpayment. The values may be manipulated too. The attacker may direct payment to the unidentified account in case access to the payment protocol.
What is the level of the threat? The threat is minimal since the attacker can only phish one’s data only during login process. It is this situation that makes it more of a chance happening than a certain occurrence, hence more difficult to undertake. The threat posed is not a bug. The system remains intact even when a random attack occurs. The threat of attack is of less significant to the university. However, the threat should not be ignored. The use of SSL VPN reduces the chances of the threat occurring. Altering the Cisco ASA is very difficult due to the nature of generation the certificates in the devices. However, Cisco has acknowledged the weakness of using the MD5 and has since moved on and altered the signature algorithm.
The university may not necessarily have to change the cryptosystem simply because of the potential threats. There could be no any 100% safe cryptosystem existing, and hence changing the cryptosystem does not change the situation. On the same note, the certificate authorities are constantly updating their products to reduce the weaknesses that the attackers. The MD5 SSL is widely used since they have proved reliable to acceptable levels.
The technical staff needs to be put in the know of the type of threats the weaknesses of MD5 possess. In this case, they shall be able to identify attacks soon after they have occurred and repair them. Such would reduce the levels of damages after the attacks. The technical staff should also be checking the SSL certificate subscribed to in the university system using the MD5 algorithm.
The non-technical staff needs to know on how systems are attacked. In many cases, the attackers do not use very sophisticated algorithms and systems that the basic end user may not notice. An end user would be required to click an “okay” or “enter” at some point to authorize the threats to be carried out. In this case, if the end user is aware of such, the attacks would not succeed.
References
Weaknesses in SSL certificates with a MD5 algorithm. Web. Retrieved from
https://www.networking4all.com/en/ssl+certificates/ssl+news/md5/ on June 11, 2014.
Vulnerability Note VU#836068, MD5 vulnerable to collision attacks. Web. Retrieved from
http://www.kb.cert.org/vuls/id/836068 on June 11, 2014.
MD5 Hashes May Allow for Certificate Spoofing. Retrieved from
http://www.cisco.com/c/en/us/support/docs/csr/cisco-sr-20090115-md5.html one June 11, 2014.
