[opensuse] 25C3: Hackers completely break SSL using 200 PS3s
Hi all, I'm sending this to both the users list and the off-topic one as it has a rather big impact: http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-p... Happy New Year everyone! Martin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Martin Mielke said the following on 12/31/2008 10:37 AM:
Hi all,
I'm sending this to both the users list and the off-topic one as it has a rather big impact:
http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-p...
See also http://www.washingtonpost.com/wp-dyn/content/article/2008/12/30/AR2008123001... <quote> Appelbaum said that his group's attorneys advised against giving Verisign advance notice, citing the possibility that the company could convince a judge that it was in the best interests of public safety to prevent the researchers from publicly presenting their findings. "Our lawyers advised us that telling the CA about this increases the chances of us getting into serious legal trouble that may ultimately prevent us from speaking about it," Appelbaum said. </quote> You may recall that Boston Transit used a court order to prevent MIT researchers presenting about security flaws in the Oyster (?) swipe-card system. I seem to recall thatt some voting machine companies also have this beleif that covering up their flaws is good for the general public. -- "The Singapore government isn't interested in controlling information, but wants a gradual phase-in of services to protect ourselves. It's not to control, but to protect the citizens of Singapore. In our society, you can state your views, but they have to be correct." - Ernie Hai, coordinator of the Singapore Government Internet Project -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Martin Mielke wrote:
Hi all,
I'm sending this to both the users list and the off-topic one as it has a rather big impact:
http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-p...
"This attack is possible because of a flaw in MD5. MD5 is a hashing algorithm; each unique file has a unique hash." This is incorrect. A hash is not unique, as more than one file can have the same hash. This is well known and called a "collision" and results because a hash is a fixed length, for example 128 bits and is the result of an arbitrary length file. As soon as the original file exceeds 128 bits in length, you run out of available "unique" hashes. So, in fact, there are an infinite number files that have the same hash. The problem is finding one that matches. As is often the case, hashes can fall to brute force attacks, which is apparently what this is. The hard part of this is getting your hands on 200 PS3s. ;-) -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2008-12-31 at 13:24 -0500, James Knott wrote: ...
The hard part of this is getting your hands on 200 PS3s. ;-)
If there is money in it, I'm sure there will be "bad guys" making use of the flaw. Maybe they already did, silently. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklb12oACgkQtTMYHG2NR9Vw/wCeNhjraPoQOV/L3e1suV0U0EZH RO0An1ILHgB3WoUUWt9nZBNHYMiFwz/n =LW9H -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Mielke wrote:
Hi all,
I'm sending this to both the users list and the off-topic one as it has a rather big impact:
http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-p...
Happy New Year everyone!
Martin
Hmmm... reading the article a little closer. This was only possible from one certificate supplier with two key bits of knowledge about that suppliers certificates, a fixed certificate signing response time, a sequential serial number and took two days to perform with $20K worth of computing power... Not quite in the same league as the WEP hack .... Truth of the matter is no security mechanism will ever be 100% and if someone is determined enough it can be broken. The real issue is make economically non viable to do it (and possibly put in tripwires so you know someone is trying to do it).... In this case I would focus on the question of the use of sequential serial numbers and a static response time... a little randomness in these could make the problem more difficult (but not impossible)... News folks, the sky has not fallen yet.... - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkld6VsACgkQasN0sSnLmgLgUgCfSVzOs7Dycl8Wdt1jOVZKkh0Y ELAAoMNDc/oMks/ivFI0aMNCmIqwj+EW =5M0y -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2009-01-02 at 10:15 -0000, G T Smith wrote:
Hmmm... reading the article a little closer. This was only possible from one certificate supplier with two key bits of knowledge about that suppliers certificates, a fixed certificate signing response time, a sequential serial number and took two days to perform with $20K worth of computing power... Not quite in the same league as the WEP hack ....
But the "bad guys" can have that kind of manpower and money, if there is money to be earned. Just look at the amount of phising attempts every day...
Truth of the matter is no security mechanism will ever be 100% and if someone is determined enough it can be broken. The real issue is make economically non viable to do it (and possibly put in tripwires so you know someone is trying to do it)....
Yes.
In this case I would focus on the question of the use of sequential serial numbers and a static response time... a little randomness in these could make the problem more difficult (but not impossible)...
That is very true. I wonder if they checked other authorities and how many they found vulnerable. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkld9FgACgkQtTMYHG2NR9X8rACdFhyfhS7G7t457qyR1QrEzw6m Cc8An0Da1e9/kL6Mhc40vhBlOvQElZem =TbD6 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Carlos E. R. wrote:
On Friday, 2009-01-02 at 10:15 -0000, G T Smith wrote:
Hmmm... reading the article a little closer. This was only possible from one certificate supplier with two key bits of knowledge about that suppliers certificates, a fixed certificate signing response time, a sequential serial number and took two days to perform with $20K worth of computing power... Not quite in the same league as the WEP hack ....
But the "bad guys" can have that kind of manpower and money, if there is money to be earned. Just look at the amount of phising attempts every day...
Phishing largely depends on the naivety of the end user, like any other con. So is a different line of attack, and there is no security against stupidity. IIRC most phishing attacks make use of other peoples machines resources :-) Certificates normally have an expiry date, so therefore this kind of attack would normally only be useful if the hack can be reasonably achieved within the time frame of the expiry cycle. The generation process time has been probably been significantly reduced because two factors are known and predictable, the real question is what is the generation process time if these are not known (or to put it more accurately the probability of successfully generating a forged certificate before it expires, if these factors are not known). The weakness of the approach is that it also can be nullified very simply (and according to this report already has).
In this case I would focus on the question of the use of sequential serial numbers and a static response time... a little randomness in these could make the problem more difficult (but not impossible)...
That is very true.
I wonder if they checked other authorities and how many they found vulnerable.
They said 97% of the certificates which used the method came from one source, and they targeted this source. As a result cas issued by this source are to be flagged as dodgy. They say nothing about the other 3% also using the method, so to what extent this is a flaw in md5 signed certificates or a flaw in how the source deploys those certificates is a moot point. I would only be really worried if I was using a certificate from this source to protect something of value on the basis of this report, it really says little about the security (or lack of it) for md5 certificates in general. Not something I would be inclined to press the panic button for, but I would not discount it either...
-- Cheers, Carlos E. R.
- -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkleA/sACgkQasN0sSnLmgIEywCg7sSt6x4XyirexN+wEctXP0af pM0AoI+KrchsC+jpRGErLlFmixs8LnI4 =1ATj -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Anton Aylward -
Carlos E. R. -
G T Smith -
James Knott -
Martin Mielke