PDA

View Full Version : Researchers Use PlayStation Cluster to Forge a Web Skeleton Key

patsu
30-Dec-2008, 19:25
http://blog.wired.com/27bstroke6/2008/12/berlin.html


A powerful digital certificate that can be used to forge the identity of any website on the internet is in the hands of in international band of security researchers, thanks to a sophisticated attack on the ailing MD5 hash algorithm, a slip-up by Verisign, and about 200 PlayStation 3s.

"We can impersonate Amazon.com and you won't notice," says David Molnar, a computer science PhD candidate at UC Berkeley. "The padlock will be there and everything will look like it's a perfectly ordinary certificate."

The security researchers from the U.S., Switzerland and the Netherlands planned to detail their technique Tuesday, at the 25th Chaos Communication Congress in Berlin.
Carl B
31-Dec-2008, 01:24
Patsu incidentally thanks for keeping some threads going in here lately, I've been way way distracted (and recently sick). :)

Yeah, I saw this today (just now actually) and I was like, this is crazy. It's going to be some positive light on the Cell out of nowhere that's for sure, and the creation of the false certificate itself, I mean wow serious implications.

Here's a link to the actual research release by the group:

http://www.win.tue.nl/hashclash/rogue-ca/

As well as an indication of just how important/grave this discovery was:

Update: December 30, 2008 | 5:45:00 PM

Verisign says it's stopped using MD5, as of around noon Pacific time.

"We're disappointed that these researchers did not share their results with us earlier," writes Tim Callan, "but we're happy to report that we have completely mitigated this attack."
patsu
31-Dec-2008, 17:33
No problem !

I'm in Chapter 9 of the Cell Programming book, installed YDL 6.1. Have been scanning for Cell information anyway.

The incident is indeed major. Corporate infrastructures that rely on PKI are probably getting a quick internal review/audit now :)
pcchen
02-Jan-2009, 19:28
It's a very tremendous oversight of Verisign that they still used MD5 for their certificates. MD5 was broken for more than a year and no one should use MD5 for any purpose anymore. Even SHA-1 is not trusted very well anymore and NIST is holding a contest for a next generation secure hash function.