Bench Press

The Crossroads of Science and Tech

Cluster of PS3s break MD5-SSL

View Comments

Some scary news if you’re an IT guy (although promising if, like us, you believe in the power of alternative processors), but basically it shows that the Playstation 3’s super-powered Cell processor really is useful for more than just Metal Gear Solid. 

928377_20080507_screen003

Brilliant visual depiction of research described below

By using the computational power of a cluster of 200 PS3s, researchers were able to create a fake certificate allowing them to usurp certification authority from Verisign’s RapidSSL public encryption method. What that means is that the researcher’s were able to create their own certificates, meaning that they could fool any browser into believing whatever identity the researchers threw at them. Translated into real-world terms, it means that the researchers could have, had they wanted to, convinced your browser that they were your bank, your ISP, eBay, or potentially a legitimate Microsoft/Apple software update

Image of the "Playstation Lab" cluster which executed the hack

Image of the "Playstation Lab" cluster which executed the hack.

The source of the hack comes from a weakness in using MD5, a popular hash-generating function which is supposed to turn large files into short 128-bit “passwords”. A 128-bit password may not seem like much (imagine converting a 200 page book into a short 200-letter sentence, you can’t recreate the book from that sentence), but the magic is that, like other cryptography methods, it is supposed to be incredibly difficult to create two files with the same MD5 “password” — a so-called “collision”. 

However, MD5 is not perfect, as a computationally intensive means of finding collisions was demonstrated in 2007, and while many certificate authorities had switched away from MD5, there were few who genuinely believed that the computational power was readily available to break it. And, while 200 Playstation 3’s is not super-easy to come by, given the profitability of such a scam, this recent exploit demonstrates that it no longer requires a massive multi-million dollar supercomputer to do the number-crunching needed (the researchers estimated that only $20,000 worth of computing power on Amazon’s Elastic Compute Cloud was needed to generate the fake certificate).

Thankfully, Verisign has confirmed that they are committed to phasing out MD5, and Microsoft and Mozilla have been fully briefed on the risk. Let us hope that is more than just empty promises.

(Image source: Playstation Lab cluster)

Written by ben

December 30th, 2008 at 10:40 am

Posted in technology

Tagged with , , , , , , ,

«
»
  • eddiepetosa
    I really trust the ssl certificates I get on the web and now that I've read this article, I don't know what to believe anymore. What if their research falls into the wrong hands or if some hackers find a way to fake certificates themselves?
  • Ben
    It's difficult to say for sure, but hopefully this inspires everyone to exercise a little more judgment when it comes to thinking about internet security. There is no magic bullet to solve problems like this (as there will always be a race between security and hackers), and no technological solution can ever match "common sense" as a form of security.
  • Wow, this is pretty impressive. Just another example of how ridiculously powerful the Cell can be.
blog comments powered by Disqus