Imagine that you have recently joined a University as a central information security analyst. On a busy Wednesday morning, your supervisor tells you that a significant vulnerability has been discovered in the University’s cryptosystem. Since this is a serious matter, he wants you to do some research and come up with a list of things that the University should do to handle the situation. When you inquire about the vulnerability, he points to the following URLs:
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://www.win.tue.nl/hashclash/rogue-ca/
http://www.kb.cert.org/vuls/id/836068
http://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html
You are a bit unsure about how your University uses the cryptosystem, so he explains that the University uses Message-Digest algorithm 5 (MD5) in a wide variety of areas. These include hashing to check for file integrity of downloaded files, as well as MD5 hashes that the University provides for its own files that it makes available for download, MD5 based-signing certificates from the University’s internal Certificate Authority. In addition, the University uses a Cisco ASA firewall device which can create and sign digital certificates for users and systems. These ASAs use MD5 by default, and the University has used the ASAs to create certificates for critical systems in some departments.
With these considerations in mind, you are required to submit a report on the threat the University faces and what response it would require from your institution. Briefly explain what the University should do about the vulnerability, and what effect any changes required might have on the institution or its students, employees, graduates, or other populations. The summary should include what the vulnerability is, how dangerous it could be, what are its effects and how it can be countered or remediated. You should address communication of the issue, such as who would need to be made aware of it and how. Therefore, while writing the summary, consider answering the following questions:
What effect does the vulnerability have on the cryptosystem?
Is the threat significant? What would an exploit of the cryptosystem mean to your organization?
How easy is it to exploit the vulnerability?
Does a tool exist to exploit the vulnerability?
Is the cryptosystem still usable but with caveats, or should it be replaced?
Can your organization easily replace the cryptosystem?
Has an exploit been released?
