ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Fwd: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

2009-01-04 10:40:57
from [Eric Rescorla] [Permanent Link] 
At Sun, 4 Jan 2009 07:51:01 -0500,
Marshall Eubanks wrote:

I think that Hank raises a very good question. There has been
a very active discussion of this on NANOG, both re SSL, BGP and in  
general.

Here is the original link :

<http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-ps3s/
 
 >

Regards
Marshall

Begin forwarded message:


From: Hank Nussbacher <hank(_at_)efes(_dot_)iucc(_dot_)ac(_dot_)il>
Date: January 4, 2009 2:22:06 AM EST
To: Mikael Abrahamsson <swmike(_at_)swm(_dot_)pp(_dot_)se>, 
"nanog(_at_)nanog(_dot_)org" <nanog(_at_)nanog(_dot_)org 



Subject: Re: Security team successfully cracks SSL using 200 PS3's  
and MD5 flaw.

At 06:44 PM 03-01-09 +0100, Mikael Abrahamsson wrote:

On Sat, 3 Jan 2009, Hank Nussbacher wrote:


You mean like for BGP neighbors?  Wanna suggest an alternative? :-)


Well, most likely MD5 is better than the alterantive today which is  
to run no authentication/encryption at all.

But we should push whoever is developing these standards to go for  
SHA-1 or equivalent instead of MD5 in the longer term.


Who is working on this?  I don't find anything here:
http://www.ietf.org/html.charters/idr-charter.html

All I can find is:
http://www.ietf.org/rfc/rfc2385.txt
http://www.ietf.org/rfc/rfc3562.txt
http://www.ietf.org/rfc/rfc4278.txt

Nothing on replacing MD5 for BGP.



Oh boy...


1. This isn't a break in SSL per se. It's an attack on a single
CA which was still unsafely using MD5. As I understand it, they
have now fixed that. So, it's not clear to what extent this has
an ongoing impact. In particular, it only affects certificate-based
authentication, not authentication with a shared secret, as is
used in TCP-MD5.

My summary of the attack can be found
here: 
http://www.educatedguesswork.org/2008/12/understanding_the_sotirov_et_a.html


2. The MAC used in TCP-MD5 is weak by modern standards (for several
reasons, not just that it uses MD5) and there is already work going
on in TCPM to replace it. See draft-ietf-tcpm-tcp-auth-opt.

-Ekr


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Fwd: Security team successfully cracks SSL using 200 PS3's and MD5 flaw., Marshall Eubanks
Next by Date:  Re: [taugh.com-standards] Re: Review of draft-ietf-dkim-ssp-08, Dave CROCKER
Previous by Thread:  Fwd: Security team successfully cracks SSL using 200 PS3's and MD5 flaw., Marshall Eubanks
Next by Thread:  Renumbering needs work, Brian E Carpenter
Indexes:  [Date] [Thread] [Top] [All Lists]