LIVE: The 25th annual CCC (Update 7) - MD5 attacks return
by Steve Ragan - Dec 30 2008, 11:00The Tech Herald has tuned into the video feed live from the CCC and will update you as things progress.
Update: 10:30A (EST)
The talk just finished. Interesting, to say the least. We are working on getting a copy of the video as well as comments from CAs and a few other vendors.
However, here are a few notes:
- Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger all took part in the research and development of the MD5 attack
- The attack is a revamped version of MD5 collision research seen from 2004-2007.
- The modifications to the 2007 research make this new attack a, "Perfect Man-In-The-Middle attack."
- The modifications to the 2007 research allowed Sotirov, Appelbaum, and Stevens to make themselves an Intermediate Certificate Authority.
- EV (Extended Validation) Certs are not vulnerable to this attack, as they are not allowed to use MD5 when signing certificates.
- The CA that got the most attention during the talk was RapidSSL. This is because out of a sample 30,000 Web site certificates, 9,000 of them were signed with MD5. Of those 9,000 sites, 97 percent were RapidSSL certs.
- There were other CAs mentioned along with RapidSSL. Each of them is aware of the issue, and will soon be moving to SHA-1
- The research used 200 PlayStation 3 systems. According to presentation slides, this is equal to 8,000 CPU cores.
- It took the researchers four attempts (one attempt per-weekend) to successfully pull off the MITM attack.
- The cost of the four attempts was $657.00 USD.
- They said the same attack could cost about $2,000 USD on Amazon EC2 and would take about one day to pull off if successful.
- Microsoft and Mozilla agreed to NDAs before they were told of the research. This was done to protect the research team, and they encouraged other security researchers afraid of lawsuits to do the same.
Once the notes and other bits of information are collected, we will report more about the issue.
Update: 9:30A (EST)
The talk centers on MD5 attacks, and why MD5 should be considered harmful today.
One interesting aspect is they pulled off the MD5 attack on CA's by using 200 PlayStation 3 systems.
Update: 9:25A (EST)
“If you leave the room, you won’t get back in.” That was the announcement just minutes before Alex and Jake’s talk started. The talk started a little late, mostly due to technical issues and computer configurations. However, when the video feed scanned the room, it was standing room only and no one seemed to mind the wait. No one was leaving.
While waiting for the talk to start, Jake setup a few IP configurations while Alex warmed up the crowd, “How many of you have used the Internet?” he asked. “How many of you have used secured Web sites on the Internet?” Alex goes on to ask how many people in the room have used these secured sites for something important, such as banking.
The questions, a lead up to their talk are only a tease. Yet, the second he started talking you could hear a pin drop in the room.
They are still working to fix technical issues.
Update: 9:10A (EST)
Alex Sotirov and Jake Appelbaum are almost set to start their talk, Making the theoretical possible: Attacking a critical piece of Internet infrastructure. On the video stream you can hear the rush of people entering Room 1. Warnings issued in English and German, urge people to take seats and clear the isles once again.
There is still no word on what the talk will cover, and judging by the crowd in attendance that you can see on the video, every one wants to know what all the fuss is about.
In about five minutes or so, we’ll find out.
UPDATE: 9:00A (EST)
Julian Assange and Daniel - whose last name was not audible on the video stream - gave the Wikileaks talk. Sadly, they suffered a major hard drive crash before talk this morning, got to love technology.
Half of those who attended the Wikileaks talk use the site on a regular basis. Most of the regular use comes from the mainstream media coverage linked to the site. Bank Julius Baer, for example, was the bank that caused Wikileaks to lose access to their main domain for a short time. This was a huge news cycle and Wikileaks gained thousands of references and links to their work thanks to the bank.
Other topics covered in the mainstream press included Sara Palin, The BNP, and the BVOE.
Julian told a humorous story about BND, where they couldn’t figure out a contact email address for Wikileaks so they can send legal threats.
However, most of Wikileaks work is missed by the mainstream press. Take for example, political assassinations. The Kenya document, released on Wikileaks from the Kenya Human Rights Commission, named names and listed details of several hundred murders.
As pointed out during the talk, no medium is easier to censor then the Internet. Censorship is being implemented globally. Just last week, a Wikileaks repot told the story of Thailand's Ministry of Information and Communication Technology (MICT). Wikileaks released a MICT list of more then 1200 websites, located all over the world for the reason of "lese majeste" or criticizing the King.
The Wikileaks talk centered on the past and future of the organization. However, the main focal point is why Wikileaks is relevant. It's relevant because censorship is global. Information is disappearing at an alarming rate.
The point they want to make is that each of us should be involved. Research, investigate, and produce original content. Be curious, report on it, and act on what you learn.
The entire talk, well worth the time to view, will be available online soon.
Update: 8:00A (EST)
Watching the CCC sessions, with the scramble of things before anyone starts a lecture, you see a blur of activity. Earlier this morning, during a talk on Soy, the presenter had some tech issues, and the just like during other conferences, there were tech people moving around hitting switches and plugging things in so the computer would display properly.
(Has anyone ever noticed, the computer and projector works great during trial runs, but when the heat is on and its presentation time, there are always issues?)
The Wikileaks crew, along with what appears to be event staff is working to get various cables and plugs situated before the start of the talk. It appears they are having some issues with one of the laptops on the stage.
Lots of people have turned out for the Wikileaks talk. From the camera panning it looks to be standing room only. They are announcing that people need to need to fill all the empty seats and not stand in the isles. (Clear the isles of cables, and luggage.) They are running slightly behind schedule.
Update: 7:45A (EST)
Nothing new to cover really, lots of people moving about in Room 1. Most of them are waiting for the Wikileaks presentation, Wikileaks vs. the World.
The Wikileaks talk will center on various topics including, “…experiences that have been made within the first year of its operation, the impact activities on Wikileaks had in various parts of the globe, technical, political and legal challenges faced as well as give an overview of the state of classic and internet media today…”
Should be an interesting presentation, as Wikileaks broke some impressive stories this year, including the Sara Palin email incident.
7:00A (EST)
The Chaos Communication Congress (CCC), now in its twenty-fifth session, ends today with presumably the best topics saved for last. Alex Sotirov's and Jake Appelbaum's pending talk at the CCC (Chaos Communication Congress) has generated some serious buzz. No one knows what they will discuss, aside from a select few, and the overview of their talk on the CCC website has been seriously censored.
“Their research combined a known weakness in one area with a massive resource investment in another to show that a third party was vulnerable to a practical attack that affects the security of all Internet users,” wrote HD Moore, Director of Security Research for BreakingPoint Systems. He is also one of the few security researchers who has seen the entire talk.
“Security researchers often release code and technical documentation to demonstrate a flaw, but in this case, they went a step further and used the attack in the real world to obtain proof that it works. This process required interaction with a third party that will likely do whatever they can to save face once the details become public,” he said.
Comment on this Story