Entrust SSL certificates based on SHA-1 standard, not issued via
DALLAS, Jan. 12 /PRNewswire-FirstCall/ -- During the December 2008 Chaos
Communication Congress in Berlin, Germany, researchers presented a
demonstration on how to forge apparently-authentic digital credentials -
notably SSL digital certificates - by taking advantage of a loophole in the
use of the MD5 cryptographic hash function, an older 128-bit function that is
still supported by today's Web browsers.
Entrust Certificate Services customers can be assured that all Entrust
SSL certificates are based on SHA-1 - a hash algorithm developed by the
National Institute for Standards and Technology (NIST) - and are not
susceptible to this security concern. As a technology leader, Entrust is
proactive in its approach to evolving security practices and is very involved
in the formulation of new standards, including collaboration with such
organizations as the CA/Browser Forum.
"The science of cryptography is rife with subtleties; seemingly harmless
choices can sometimes have unexpected and dangerous consequences," said
Entrust Director of Advanced Security Dr. Tim Moses. "In order to maintain a
sound security posture, it is important to partner with vendors that reflect
the latest cryptanalytic developments in their products and services."
To discuss these latest developments, Dr. Tim Moses authored "Exploiting
weaknesses in the MD5 hash algorithm to subvert security on the Web". This
technical white paper explores the Web PKI, digital signatures, hash
algorithms, MD5 weakness and recommended precautions. To read more please
Representing the highest level of SSL security, Extended Validated (EV)
SSL certificates remain the only certificates that are issued to a set of
industry-accepted guidelines. These guidelines not only consider verification
requirements, but also address technical security requirements such as minimum
key sizes, crypto algorithms and certificate extensions. As there are no
guidelines for non-EV certificates, Entrust uses the current EV guidelines as
a reference standard and has adopted many of its requirements in the issuance
of other Entrust SSL certificate types.
"While the use of the MD5 hash standard is not in common use, these
findings confirm that technology leaders need to constantly evolve and advance
online security standards," said Entrust Senior Vice President Kevin Simzer.
"This new ability for criminals to possibly obtain authentic-looking digital
credentials makes securing online environments that much more challenging."
Additional concerns regarding SSL digital certificate verification were
discovered last week when a technology blogger reported how he was able to
obtain an illegitimate SSL digital certificate by taking advantage of an
automated process that is popular with some certification authorities (CAs).
The loophole was created when the person was able to fraudulently obtain
digital certificates by exploiting the Domain Verification (DV) process.
Instead of involving human specialists in vetting each and every request
for a certificate, the DV technique uses an automated process. While an
automated process does reduce SSL vendor cost, it is subject to
vulnerabilities that make it easier to obtain illegitimate SSL certificates.
In the interest of maintaining trust, Entrust does not issue domain-only
verified SSL certificates. Each Entrust SSL digital certificate is issued only
after a thorough, personalized organizational vetting process.
Extended Validation refers to rigorous, industry-standard validation
methods used by certification authorities before issuing an EV SSL
certificate. Conceived in response to the growing threats of phishing and
man-in-the-middle attacks, Extended Validation SSL certificates were created
by the CA/Browser Forum. EV SSL certificates are issued to Web sites only
after rigorous validation of their identity. Current-generation Web browsers
-- Microsoft Internet Explorer 7, Mozilla's Firefox 3, Opera 9.5 and Google
Chrome, for example -- reflect this higher level of identity assurance with
prominent and distinct trust indicators.
Entrust Extended Validation and Advantage SSL digital certificates are
available for purchase through Entrust's Certificate Services Web site at
Entrust (Nasdaq: ENTU) secures digital identities and information for
consumers, enterprises and governments in more than 2,000 organizations
spanning 60 countries. Leveraging a layered security approach to address
growing risks, Entrust solutions help secure the most common digital identity
and information protection pain points in an organization. These include SSL,
authentication, fraud detection, shared data protection and e-mail security.
For information, call 888-690-2424, e-mail firstname.lastname@example.org or visit
Entrust is a registered trademark of Entrust, Inc. in the United States
and certain other countries. In Canada, Entrust is a registered trademark of
Entrust Limited. All Entrust product names are trademarks or registered
trademarks of Entrust, Inc. or Entrust Limited. All other company and product
names are trademarks or registered trademarks of their respective owners.
For further information:
For further information: Brooke Hamilton, Media Relations of Entrust,
Inc., +1-972-713-5915, email@example.com Web Site: