PS3 Cluster Used in Attack of MD5 Cryptographic Vulnerabilities
Wednesday 31st December 2008, 06:27:00 AM, written by Carl Bender
Yesterday, at the Chaos Communication Congress in Berlin, a team of researchers presented their report documenting a successful attack on known vulnerabilities within the MD5 cryptographic hash function, one of the commonly used encryption schemes for the assignment and verification of the Certification Authority certificates associated with secure Internet based transactions. Running a series of MD5 collision/birthday attacks premised on forward serial number assignment predictions, the team was able to synchronize purchase efforts in order to actualize a previously constructed CA certificate through the theft of the target CA's signature.
Such a rogue certificate allows the holder to create dummy and/or imitation sites registering as "trusted" by all major browsers in use today, permitting the circumvention of https and SSL as a barrier to stealing sensitive private and/or financial information. This particular certificate was therefore purposefully crippled via the validity dates assigned by the team. The research team is also for the moment keeping certain aspects of their implementation non-public for publication at a future time, giving industry time to respond to the MD5 situation in the interim. Verisign for its part has reported immediate cessation of the use of MD5 in new certificate issuances, and other certification companies are likely to follow shortly.
The full report on the MD5 vulnerability attack is viewable here.
In order to perform the computationally intensive collision operations required for the attack, the team utilized the "Playstation Lab" at Arjen Lenstra's Laboratory for Cryptologic Algorithms in Switzerland, a cluster consisting of 200 PS3 units. Well suited for cryptologic and other scientific applications, many institutions have opted for the relatively inexpensive route of clustering PS3 consoles to create a Cell/SPE-based supercomputing environment in lieu of more expensive options such as traditional HPC rack-mount solutions, or more transient options such as compute-time rental. The University of Massachusettes Dartmouth two weeks ago put up a guide for institutions and individuals looking to do the same, but needing assistance in creating the clustered environment.
Such a rogue certificate allows the holder to create dummy and/or imitation sites registering as "trusted" by all major browsers in use today, permitting the circumvention of https and SSL as a barrier to stealing sensitive private and/or financial information. This particular certificate was therefore purposefully crippled via the validity dates assigned by the team. The research team is also for the moment keeping certain aspects of their implementation non-public for publication at a future time, giving industry time to respond to the MD5 situation in the interim. Verisign for its part has reported immediate cessation of the use of MD5 in new certificate issuances, and other certification companies are likely to follow shortly.
The full report on the MD5 vulnerability attack is viewable here.
In order to perform the computationally intensive collision operations required for the attack, the team utilized the "Playstation Lab" at Arjen Lenstra's Laboratory for Cryptologic Algorithms in Switzerland, a cluster consisting of 200 PS3 units. Well suited for cryptologic and other scientific applications, many institutions have opted for the relatively inexpensive route of clustering PS3 consoles to create a Cell/SPE-based supercomputing environment in lieu of more expensive options such as traditional HPC rack-mount solutions, or more transient options such as compute-time rental. The University of Massachusettes Dartmouth two weeks ago put up a guide for institutions and individuals looking to do the same, but needing assistance in creating the clustered environment.
Tagging
±
Related News
NVIDIA GeForce GTX 275 at $250 to fight HD 4890
ATI Radeon HD 4890 launched at $250 with improved GPU
A look at NVIDIA's SLI Multi-OS and new Quadros
Article: Primer on Computational Architecture Trade-Offs
Chrome 9 HCM-powered single chip VIA VX855 annnounced
Mazatech release AmanithVG 4.0, supporting OpenVG 1.1
Say hello to GLOBALFOUNDRIES
Ahead Nero gets CUDA support for video encoding
Analysis: Intel-TSMC announcement more complex than reported
G92b renamed again, this time for notebooks
ATI Radeon HD 4890 launched at $250 with improved GPU
A look at NVIDIA's SLI Multi-OS and new Quadros
Article: Primer on Computational Architecture Trade-Offs
Chrome 9 HCM-powered single chip VIA VX855 annnounced
Mazatech release AmanithVG 4.0, supporting OpenVG 1.1
Say hello to GLOBALFOUNDRIES
Ahead Nero gets CUDA support for video encoding
Analysis: Intel-TSMC announcement more complex than reported
G92b renamed again, this time for notebooks
