[conspire] How to break the whole Web PKI framework, using PS3s

Rick Moen rick at linuxmafia.com
Tue Dec 30 18:31:11 PST 2008 

I wrote:

> Herewith, full HOWTO instructions for a Sony PlayStation 3 high-performance
> computing (HPC) cluster that anyone can construct using Fedora Core 8,
> the IBM Cell SDK 3.0, NFSv3, and "Openmpi" Message Passing Interface
> (MPI) libraries for cross-nodal communication -- further proof that the
> IBM Cell Broadband Engine aka "Cell" CPU is _amazing_
> (http://en.wikipedia.org/wiki/Cell_(microprocessor) ).
> 
> A test installation at University of Massachussetts at Dartmouth's
> College of Engineering using eight PS3s is already doing serious
> astronomy calculations, at supercomputer levels of performance.
[...]


And, it turns out, there are other _very_ interesting things you can do
with the massive array of _two hundred_ PS3 gamer boxes -- this
particular cluster being the one at EPFL in Lausanne, Switzerland:
http://www.win.tue.nl/hashclash/rogue-ca/

In short:  With just 18 hours of computing, they were able to crack a
Certificate Authority MD5 signature -- loosely speaking -- such that
they were then able to buy apparently genuine commercial SSL certificates
that will be believed and accepted by all current Web browsers.  Thus,
they are in effect able to run a rogue Certificate Authority.


  In combination with known weaknesses in the Domain Name System (DNS)
  protocol such as Kaminsky's "DNS Flaw" [K2] (see also [OMM]), the
  vulnerability we exposed opens the door to virtually undetectable
  phishing attacks. Without being aware of it, users can be redirected to
  malicious sites that appear exactly the same as the trusted banking or
  e-commerce websites they believe to be visiting. User passwords and
  other private data can fall into wrong hands.
  [...]

  Other applications than secure web communication using SSL might be
  vulnerable as well. Every Certification Authority that will honor
  requests for MD5-based certificates and that has sufficiently
  predictable serial numbers and validity periods, may be vulnerable to
  similar attacks. This may include Certification Authorities in the areas
  of e-mail signing and encryption, software signing, non-repudiation
  services, etc.

As the authors point out, MD5 hashing has been known to be weak (to have
findable "collisions") since 2004, yet it keeps being perpetuated in most
places.

The authors estimate that the computing power in a single PlayStation 3
is roughly equivalent to that of about "40 modern single-core processors".
They say their 18 hours of runtime (albeit spread across 200 PS3s) got
them results that would have taken _32 years_ on a typical desktop box.

Replacements for MD5?  The commodity current choice is SHA-1, but some
weaknesses were found in 2005, and SHA-2 still looks good.
(There is currently an NIST competition to select SHA-3 from several
dozen candidates:  http://www.schneier.com/crypto-gram-0812.html#11)

More information about the conspire mailing list