SSL challenge -- broken !
-----BEGIN PGP SIGNED MESSAGE----- SSL challenge -- broken This is to announce the solution of the SSL challenge posted by Hal Finney on July 17, 1995 (message-ID: <3u6kmg$pm4@jobe.shell.portal.com>), also found at: <URL:http://www.portal.com/~hfinney/sslchal.html> The 40-bit secret part of the key is 7e f0 96 1f a6. I found it by a brute force search on a network of about 120 workstations and a few parallel computers at INRIA, Ecole Polytechnique, and ENS. The key was found after scanning a little more than half the key space in 8 days. The cleartext of the encrypted data is as follows: The SERVER-VERIFY message is: 9C B1 C7 83 D9 BB B7 75 01 6F 19 19 03 58 EC 05 MAC-DATA 05 MSG-SERVER-VERIFY AF 84 A7 79 F8 13 69 20 25 9B 53 A0 60 AE 75 51 CHALLENGE The CHALLENGE part is a copy of the challenge sent by the client in its first message. The answer is the CLIENT-FINISHED message: 22 BB 23 39 55 B0 7F B6 1A B0 35 85 F7 DB C1 E5 MAC-DATA 03 MSG-CLIENT-FINISHED BF EB 90 F8 2C 0C E1 EA 18 AC 11 4C 83 14 21 B6 CONNECTION-ID The next message is SERVER-FINISHED: D4 CD F3 4E 38 F1 2B 1E DC FD 72 C8 34 02 CD FF MAC-DATA 06 SERVER-FINISHED-BYTE 23 1C 05 40 60 72 49 6E 83 BA D1 28 CC 9B 5F 63 SESSION-ID-DATA Then comes the data message sent by the client. This is the juicy one. I have broken the contents into its fields (the body was just one long line) 72 23 B5 98 0D D0 07 1A DA F1 C7 A4 40 41 5A 10 MAC-DATA POST /order2.cgi HTTP/1.0 Referer: https://order.netscape.com/order2.cgi User-Agent: Mozilla/1.1N (Macintosh; I; PPC) Accept: */* Accept: image/gif Accept: image/x-xbitmap Accept: image/jpeg Content-type: application/x-www-form-urlencoded Content-length: 472 source-form=order2-cust.html& order_number=31770& prod_80-01020-00_Mac=1& carrier_code=UM& ship_first=Cosmic& ship_last=Kumquat& ship_org=SSL+Trusters+Inc.& ship_addr1=1234+Squeamish+Ossifrage+Road& ship_addr2=& ship_city=Anywhere& ship_state=NY& ship_zip=12345& ship_country=USA& ship_phone=& ship_fax=& ship_email=& bill_first=& bill_last=& bill_org=& bill_addr1=& bill_addr2=& bill_city=& bill_state=& bill_zip=& bill_country=USA& bill_phone=& bill_fax=& bill_email=& submit=+Submit+Customer+Data+ This order came from Mr Cosmic Kumquat, SSL Trusters Inc., 1234 Squeamish Ossifrage Road, Anywhere, NY 12345 (USA). Unfortunately, Mr Kumquat forgot to give his phone number, and the server's reply (in two packets) is: 09 12 AD FE A5 A9 BF D1 8C 8C E2 6A A3 48 B9 75 MAC-DATA HTTP/1.0 200 OK Server: Netscape-Commerce/1.1 Date: Wednesday, 12-Jul-95 05:40:30 GMT Content-type: text/html 1C CD C4 3D 80 F1 7B 94 11 AC E8 72 B1 99 BC FA MAC-DATA <TITLE>Error</TITLE><H1>Error</H1> The shipping address you supplied is not complete. The street address, city, state, zip code, country and phone number are mandatory fields. Please go back and specify the full shipping address. Thank you. This result was found with a quick-and-dirty distributed search program, which I wrote when I realized that the cypherpunks were going to be a few weeks late with their collective effort. When the program was running, it took little more than one week to find the key (it would have taken about 15 days to sweep the entire key space). I ran it on almost all the machines I have access to, summarized in the following table: type speed (keys/s) number notes - -------------------------------------------------------- DEC (alpha) 18000-33000 34 DEC (MIPS) 2500-7500 11 SPARC 2000-13000 57 HP (HPPA/snake) 15000 3 Sony (R3000) 1100-4000 3 Sun 3 600 2 Sequent B8000 100 x 10 1 (1) Multimax (NS532) 600 x 14 1 (1) KSR 3200 x 64 1 (1) (2) Notes: 1. These are multiprocessor machines 2. The KSR spent only about 2 days on this computation. The total average searching speed was about 850000 keys/s, with a maximum of 1350000 keys/s (1150000 without the KSR). Conclusions: * Many people have access to the amount of computing power that I used. The exportable SSL protocol is supposed to be weak enough to be easily broken by governments, yet strong enough to resist the attempts of amateurs. It fails on the second count. Don't trust your credit card number to this protocol. * Cypherpunks write code, all right, but they shouldn't forget to run it. I want to thank the people at INRIA, Ecole Polytechnique, and Ecole Normale Superieure for giving their CPU time. (Most of them are on vacation anyway...) You can find a copy of this text at <URL:http://pauillac.inria.fr/~doligez/ssl/announce.txt> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCSAwUBMDG4dVNZwSQVabihAQGeFAPnUZil4WlauoMke9HaULDNOVf1hLXS0i9U VJWZsPHcihDbn6nBN9T6f3sW/S08N5YJFSCmuZzqO59c0nOAKILb6a3TsXjFEcu8 W8UfwFsZa6gx7iuYqandhoHBEkkc5NSwMe1f+lPiV2MdclzQ4/VtZ7Oa1VB+RftD Am4+w/Y= =Fju1 -----END PGP SIGNATURE----- **** This is a timestamp of the above message: -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQBVAwUAMDGsOeWrvYiumrHZAQF0QwIAnDWdVVTiVmUTY5lp08yPeLRoFetczb+U E0WVgTUJ4a16tinOPaJl/6jOpPUUPWMjkDaD2N1xw8lGqm0UgZJiGIkAkgMFATAx uKJTWcEkFWm4oQEBAQ8D5ixvYrpEAQYfeNXmbB46BTTnBwBPS/JjfVFEEnC0Zsoj cyh/WELUsZf785b23vEq9JFvZB+bq1UsJTpttl335TrW344ZYof3kl6fdEF2Jf5q LxQjkuP9s/OQX5iJZpHz4LUxbb+/hOwSdZ2O3LV7ETiHs9AK1+bnKfOGDyei =qO7V -----END PGP MESSAGE-----
On Wed, 16 Aug 1995, Damien Doligez wrote:
SSL challenge -- broken
Conclusions:
* Many people have access to the amount of computing power that I used. The exportable SSL protocol is supposed to be weak enough to be easily broken by governments, yet strong enough to resist the attempts of amateurs.
Exactly
It fails on the second count. Don't trust your credit card number to this protocol.
Huh? So you run on 120 workstations worth how much? to steal a credit card number worth how much? Get real - there are hundreds of ways to get credit card numbers that cost less. The idea is to make breaking SSL less attractive than dumpster diving not to make it impossible. I'll lay odds that I could get the credit card number of *any* individual in the US in less elapsed time and with nothing more than a $1000 windoze machinei, a telephone and a modem. John Pettitt jpp@software.net
On Thu, 17 Aug 1995, John Pettitt wrote:
On Wed, 16 Aug 1995, Damien Doligez wrote:
SSL challenge -- broken It fails on the second count. Don't trust your credit card number to this protocol.
Huh? So you run on 120 workstations worth how much? to steal a credit card number worth how much? Get real - there are hundreds of ways to get credit card numbers that cost less. The idea is to make breaking SSL less attractive than dumpster diving not to make it impossible. I'll lay odds that I could get the credit card number of *any* individual in the US in less elapsed time and with nothing more than a $1000 windoze machinei, a telephone and a modem.
I think the point here is that its not safe to send credit cards over the net and just like in rl, you got protect yourself by keeping a close eye on your credit card transactions. And to prove to our governments that RSA40 isn't a 'good enough' any more. On the other hand getting access to 120 workstations should'nt be to difficult for any system admin. Take my school for example, I could run the program on some 100 odd SGI Indy workstations, 2 SGI challenge S's and a challenger DM (2cpus) along with 2 DEC Alphas As long as I set it to a have high nice value, nobody would notice, or even mind. ________________________________________________________________________ Sameer Manek Seawolf@challenger.atc.fhda.edu ________________________________________________________________________
John Pettitt (jpp@software.net) wrote: : Huh? So you run on 120 workstations worth how much? to steal a credit : card number worth how much? Get real - there are hundreds of ways : to get credit card numbers that cost less. The idea is to make : breaking SSL less attractive than dumpster diving not to make it : impossible. I'll lay odds that I could get the credit card number : of *any* individual in the US in less elapsed time and with nothing : more than a $1000 windoze machinei, a telephone and a modem. I'll ignore the offer to gamble due to agreeing with you. However, your comparision to dumpster diving is kinda weak. People everytday use thousands of dollars worth of computer equipment to download pictures from select newsgroups. They have spent couple grand to be able to download and veiw these pictures on their screens. Now if you told them that they could just mail order some videos, magazines or the like, they'ld tell you it's "easier" their way. Many people have access to piles and piles of computer horsepower. People without that will still do dumpster diving, but bored sys-admins, college students, college-professors, office workers, etc will still have easy access to this type of computing power. The problem also lays in the fact that people are led to believe that their information is safe against most attacks, when it's obvious that this information is only safe for a very short time. Has anyone thought about starting up a distributed rc4 cracking web. Send in your message to a web server form, it will then spawn of requests to a pool of machines willing to try cracking rc4 for you. Allow anyone to offer up spare cycles towards the effort. -- -Matt (panzer@dhp.com) DI-1-9026 "That which can never be enforced should not be prohibited."
On 18 Aug 1995, Panzer Boy wrote:
John Pettitt (jpp@software.net) wrote: : Huh? So you run on 120 workstations worth how much? to steal a credit : card number worth how much? Get real - there are hundreds of ways : to get credit card numbers that cost less.
Has anyone thought about starting up a distributed rc4 cracking web. Send in your message to a web server form, it will then spawn of requests to a pool of machines willing to try cracking rc4 for you. Allow anyone to offer up spare cycles towards the effort.
I suggested that very thing just yesterday in the list, but my message seems to have gone awry. In short, I suggested we use E-Cash payments for cracking efforts. This would establish a reward for participating and an 'exchange rate' for e-cash at the same time.
participants (5)
-
Damien.Doligez@inria.fr -
David Neal -
John Pettitt -
panzer@dhp.com -
Sameer R. Manek