torsdag den 1. januar 2009

Researchers Create Web Skeleton Key With 200 PS3s


Når nogen skyller en steroidbombe sammen af gigantisk regnekraft er det sært nok altid med det formål at anvende det til at sprænge de sikkerhedsrammer der er gældende ... 
/Sik


When somebody mixes a steroid bomb of gigantic processing power it is often weirdly enough in order to blow the hell out of current security standards ...
/Sik


Quote





Using a cluster of 200 PS3s, an international group of researchers have crafted a "skeleton key" digital certificate that can perfectly impersonate any website on the internet.

The weak point that allows the technique to work—which researchers will be detailing at the 25th Chaos Communication Congress in Berlin—is the MD5 hash algorithm, which, basically, is what's used to create a fingerprint that makes it hard to forge digital certificates. Verisign's RapidSSL still uses the MD5 hash algorithm.

So, where do the crack-friendly PlayStation 3s come in? Well, they have to generate CA certificiate—the certificate that allows them to sign and verify certificates for any other site—and a website certificate that produce the same MD5 hash. A cluster of 200 PS3s were used to figure out where the MD5 hashes of their forged CA certificate and website certificate "collide," allowing them to "crunch out their forgery in about three days." [...]


Read more: http://gizmodo.com/5120924/researchers-create-web-skeleton-key-with-200-ps3s

Researchers Use PlayStation Cluster to Forge a Web Skeleton Key

By Kevin Poulsen Email

A powerful digital certificate that can be used to forge the identity of any website on the internet is in the hands of in international band of security researchers, thanks to a sophisticated attack on the ailing MD5 hash algorithm, a slip-up by Verisign, and about 200 PlayStation 3s.

"We can impersonate Amazon.com and you won't notice," says David Molnar, a computer science PhD candidate at UC Berkeley. "The padlock will be there and everything will look like it's a perfectly ordinary certificate."

The security researchers from the U.S., Switzerland and the Netherlands planned to detail their technique Tuesday, at the 25th Chaos Communication Congress in Berlin. 


Read more: http://blog.wired.com/27bstroke6/2008/12/berlin.html

Ingen kommentarer:

Send en kommentar