25C3: Hackers Completely Break SSL Using 200 PS3s

A team of security researchers and academics has broken a core piece of internet technology. They made their work public at the 25th Chaos Communication Congress in Berlin today. The team was able to create a rogue certificate authority and use it to issue valid SSL certificates for any site they want. The user would have no indication that their HTTPS connection was being monitored/modified.

This attack is possible because of a flaw in MD5. MD5 is a hashing algorithm; each unique file has a unique hash. In 2004, a team of Chinese researchers demonstrated creating two different files that had the same MD5 hash. In 2007, another team showed theoretical attacks that took advantage of these collisions. The team focused on SSL certificates signed with MD5 for their exploit.

The first step was doing some broad scans to see what certificate authorities (CA) were issuing MD5 signed certs. They collected 30K certs from Firefox trusted CAs. 9K of them were MD5 signed. 97% of those came from RapidSSL.

Having selected their target, the team needed to generate their rogue certificate to transfer the signature to. They employed the processing power of 200 Playstation 3s to get the job done. For this task, it’s the equivalent of 8000 standard CPU cores or $20K of Amazon EC2 time. The task takes ~1-2 days to calculate. The tricky part was knowing the content of the certificate that would be issued by RapidSSL. They needed to predict two variables: the serial number and the timestamp. RapidSSL’s serial numbers were all sequential. From testing, they knew that RapidSSL would always sign six seconds after the order was acknowledged. Knowing these two facts they were able to generate a certificate in advance and then purchase the exact certificate they wanted. They’d purchase certificates to advance the serial number and then buy on the exact time they calculated.

The cert was issued to their particular domain, but since they controlled the content, they changed the flags to make themselves an intermediate certificate authority. That gave them authority to issue any certificate they wanted. All of these ‘valid’ certs were signed using SHA-1.

If you set your clock back to before August 2004, you can try out their live demo site. This time is just a security measure for the example and this would work identically with a certificate that hasn’t expired. There’s a project site and a much more detailed writeup than this.

To fix this vulnerability, all CAs are now using SHA-1 for signing and Microsoft and Firefox will be blacklisting the team’s rogue CA in their browser products.

78 thoughts on “25C3: Hackers Completely Break SSL Using 200 PS3s

  1. Meh, no equipment needed, just few Vista sploits to erect and some botnet herd, or even better, steal someone else’s botnet about which technique there was a talk at the very same event.

  2. To those wonder why use PS3s: anonymity. If you bought $20k worth of compute time, there’s a record and a chance someone else will know what you computed. If you ordered a large number of high-performance FPGAs, there’s a record and it’s almost certain the FBI/DHS is watching vendors of such parts these days. You and few friends can walk into a few dozen consumer electronics stores and pawn shops a buy 200 PS3s over a week or two, in cash, with no record and perfect anonymity except for possibly some security camera tape.

  3. O.K. So now they have proved that you can you can hack certs. Are these guys going to take it a step further and create a technology that’s better that can’t be hacked for a few years. Now that they have the publicity they have the banks listening and could make a lot of money.

  4. @error404

    That doesn’t change what I said. MD5 was developed to be a hash. They knew that there would be collisions. This was accepted. MD5 was never broken. This doesn’t break MD5. This shows that MD5 works the way it’s been expected to work. MD5 does not generate a unique hash for every unique input. That is impossible. That was never the point of MD5. MD5 is not an encryption. It’s a way to encode something, pass a short string (the hash) and you can then quickly check if the encoded string is probably correct.

    To use an example. You have a password on your system. The system stores the password and the MD5 hash of the password. When you enter a password on your system, it first generates an MD5 of the inputed password and compares that to the stored MD5. This is a very fast comparison for various reasons that we don’t need to get into. If the hashes dont’ match, you return invalid password. If the hashes do match you can either then do the slower comparison and confirm that the inputted and stored passwords match.

    That is how MD5 is supposed to be used (one of the ways at least).

    Or you send data appended with an MD5 hash generated by the data and a secret key (like the timestamp of the send). The recieving end has bot the data and the secret key and can calc a new MD5 hash and use that as a quick check that the data most likely has arrived correctly.

    MD5 was never expected to be a 1 for 1, unique hash for every possible input. That’s impossible. They’ve known that for years. It was always just good enough. This doesn’t break anything because there was never anything to break (with regard to MD5).

  5. No teneis ni puta idea de lo que estáis hablando. Sacado del documento original:

    The vulnerability we expose is not in the SSL protocol or the web servers and browsers that implement it, but in the Public Key Infrastructure. This infrastructure has applications in other areas than the web, but we have not investigated all other possible attack scenarios. So other attack scenarios beyond the web are conceivable, such as in the areas of code signing, e-mail security, and in other areas that use certificates for enabling digital signatures or public key encryption.

    A leer más, chicos!!!

  6. Wow. That’s some really expensive phishing right there. I can’t afford one PS3 and they hacked together something like this with 200. Sha can’t possibly be used as a solution in it’s current state. It’s just as broken as MD5.

  7. “~$20K of Amazon EC2 time.”

    One PS3 is 300$, they used 200 of them which makes 60.000$. They could have bought 3 times the EC2 time and then be over with it, i really hope the ps3 found a good home after the test finished. Good work though.

  8. Why operate so close to the technological boundary? Are we so tight with storage and processing power that we can’t put MD5 and SHA together so a collision requires collisions in both.

    My guess is that would be safe for our lifetime…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.