Security researchers have created a rogue certificate that would allow them (if they were malicious) to perform man in the middle attacks on any website. I.e. They could easily pretend to be your bank and steal your login info, amongst other things.
If this seems shocking to you, it's regular stuff for security on the web. Don't read security alert news if you like to blithely use the internet, is my advice.
Anyways, the key to this vulnerability is that some Certificate providers were still using MD5 as a cryptographic tool when creating certificates. MD5 is vulnerable and these guys have now proved it. Cool.
But the fun thing is - they use a cluster of 200 Playstation 3 gaming consoles to do their computation. That's just so cool. Maybe we can all harness Xbox Live next week to break SHA-1?
Can you picture criminals now deciding to turn your network attached Playstations and Xboxes into zombies so they can launch cryptographic attacks from the cloud?
Question. How much did your proof of concept research cost?
Answer. It took a few months to design and implement our method, based on a lot of knowledge and skills that we have developed over the last two years. We spent about USD 700 on purchasing test certificates from a CA. The computations needed for our work were done on a cluster of about 200 PlayStation 3 game consoles in the cryptanalytic lab at EPFL.Question. Why were game consoles used? What other hardware is suitable?
Answer. Game consoles use hardware specialized for the computational needs of the detailed 3D graphics in games. This hardware is also very suited for the basic arithmetic used in cryptographic algorithms and greatly outperforms general purpose computers on brute-force computations. We have found that one PlayStation 3 game console is equivalent to about 40 modern single core processors. The most computationally intensive part of our method required about 3 days of work with over 200 game consoles, which is equivalent to 32 years of computing on a typical desktop computer. Common graphic cards have been used by some for MD5 cryptanalysis as well.
Labels: playstation, security