Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Flame MD5 collision crypto attack was very hard to pull off

The MD5 collision attack carried out by Flame's authors took more attempts to pull off than the RapidSSL one in 2008

Article comments

The MD5 collision attack used by the creators of the Flame malware was significantly more difficult to pull off than an earlier attack that resulted in the creation of a rogue CA certificate, according to security researcher Alexander Sotirov.

In December 2008, at the Chaos Communication Congress (CCC) in Berlin, an international team of security researchers that included Sotirov presented a practical MD5 collision attack that allowed them to obtain a rogue CA certificate signed by VeriSign-owned RapidSSL.

The attack was significant because it showed for the first time that at least one of the known theoretical MD5 collision techniques could be used in practice to defeat the security of the HTTPS (HTTP Secure) protocol. To pull off the attack, the researchers used computing power generated by a cluster of 200 PlayStation 3s.

The creators of the Flame cyber-espionage malware used a similar attack to obtain a rogue digital certificate that allowed them to sign code as Microsoft. The certificate was used to distribute Flame to targeted computers as an official Windows update.

Last week, cryptanalysts announced that the MD5 collision attack used by Flame's creators was not identical to the RapidSSL one, which has been fully documented since 2009. Rather, the Flame attack uses a different method that might have been developed in parallel.

Flame harder to pull off than RapidSSL

While this is an impressive achievement in itself, it turns out that the Flame attack was also significantly more difficult to pull off than the RapidSSL one.

The RapidSSL attackers had a one-second window to obtain a legitimate certificate with a serial number they predicted in advance and whose signature could be copied over to their rogue certificate. It took several attempts to time this right, and after each failed attempt they had to generate a new rogue certificate, which took several hours.

The Flame attackers had only a one-millisecond window to obtain the right certificate signed by Microsoft, said Sotirov, co-founder and chief scientist at security firm Trail of Bits, in a presentation at the SummerCon conference on Saturday. That means they probably needed a far greater number of attempts to succeed.

The RapidSSL attack would have cost around US$20,000 if it had been performed on Amazon's EC2 cloud. The Flame attack would have cost between 10 and 100 times more, Sotirov said.

"[Sotirov's] analysis on the time window seems to be correct and is excellent research," said Marc Stevens, a scientific staff member in the cryptology group at the Dutch national research center for mathematics and computer science (CWI), via email.

Free access to powerful hardware

"This would significantly increase the overall cost and I agree with that assessment," said Stevens, another member of the team that performed the RapidSSL attack in 2008.

However, Stevens didn't agree with Sotirov's estimate for the theoretical cost of using Amazon's cloud for the attack. That's because there's currently not enough information about the MD5 collision method used in the Flame attack.

Sotirov assumes the attack had a similar cost-per-attempt as the RapidSSL one, Stevens said. However, the Flame attackers might have used a method that was faster, or one that was slower.

He expects they used a slower method, but that's still being researched and the findings won't be released until later.

The Flame attackers might also have had free access to powerful computer hardware, which would have significantly reduced the time required to perform the attack.

"More powerful hardware reduces the wall clock time," Stevens said. "The collision attack is highly parallelisable and a big cluster can be used very efficiently."



Share:

More from Techworld

More relevant IT news

Comments

Matt H said: For it to work not only would the black hats have to have perfect timing but unlimited funding and one or more supercomputers Occams razor would seem to indicate that the cert was issued manually by bribery or collusion and theFlame MD5 collision crypto attack was there for plausible deniability



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *